diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3556140f8dc..9599facd4e1 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,6 +1,6 @@ # Everything outside of packages is maintained by the ecosystem team. * @elastic/ecosystem -/packages/* +/packages/ # CODEOWNERS file is checked by CI. /.github/CODEOWNERS @@ -35,11 +35,13 @@ /packages/cisco_duo @elastic/security-external-integrations /packages/cisco_ftd @elastic/security-external-integrations /packages/cisco_ios @elastic/security-external-integrations +/packages/cisco_ise @elastic/security-external-integrations /packages/cisco @elastic/security-external-integrations /packages/cisco_meraki @elastic/security-external-integrations /packages/cisco_nexus @elastic/security-external-integrations /packages/cisco_secure_endpoint @elastic/security-external-integrations /packages/cisco_umbrella @elastic/security-external-integrations +/packages/cloud_security_posture @elastic/cloud-security-posture /packages/cloudflare @elastic/security-external-integrations /packages/cockroachdb @elastic/integrations /packages/containerd @elastic/obs-cloudnative-monitoring diff --git a/dev/codeowners/codeowners.go b/dev/codeowners/codeowners.go index 8c0d6e11b91..08a95f53672 100644 --- a/dev/codeowners/codeowners.go +++ b/dev/codeowners/codeowners.go @@ -103,6 +103,13 @@ func (codeowners *githubOwners) checkSingleField(field string) error { if matches || strings.HasPrefix(field, path) { return fmt.Errorf("%q would remove owners for %q", field, path) } + + if strings.HasPrefix(path, field) { + _, err := filepath.Rel(field, path) + if err == nil { + return fmt.Errorf("%q would remove owners for %q", field, path) + } + } } // Excluding other files is fine. diff --git a/dev/codeowners/codeowners_test.go b/dev/codeowners/codeowners_test.go index 6a1ec32fb1a..61b48615033 100644 --- a/dev/codeowners/codeowners_test.go +++ b/dev/codeowners/codeowners_test.go @@ -99,6 +99,10 @@ func TestReadGithubOwners(t *testing.T) { codeownersPath: "testdata/CODEOWNERS-invalid-override", valid: false, }, + { + codeownersPath: "testdata/CODEOWNERS-invalid-override-wildcard", + valid: false, + }, } for _, c := range cases { diff --git a/dev/codeowners/testdata/CODEOWNERS-invalid-override b/dev/codeowners/testdata/CODEOWNERS-invalid-override index fce387f1adb..38ebc75e541 100644 --- a/dev/codeowners/testdata/CODEOWNERS-invalid-override +++ b/dev/codeowners/testdata/CODEOWNERS-invalid-override @@ -1,5 +1,5 @@ # This is not valid because there is an override that would remove owners of a directory. /testdata/devexp @elastic/integrations @elastic/integrations-developer-experience -/testdata/* +/testdata/ diff --git a/dev/codeowners/testdata/CODEOWNERS-invalid-override-wildcard b/dev/codeowners/testdata/CODEOWNERS-invalid-override-wildcard new file mode 100644 index 00000000000..fce387f1adb --- /dev/null +++ b/dev/codeowners/testdata/CODEOWNERS-invalid-override-wildcard @@ -0,0 +1,5 @@ +# This is not valid because there is an override that would remove owners of a directory. + +/testdata/devexp @elastic/integrations @elastic/integrations-developer-experience +/testdata/* + diff --git a/dev/codeowners/testdata/CODEOWNERS-multiple-owners b/dev/codeowners/testdata/CODEOWNERS-multiple-owners index 3df2bd60d50..b13c5e1ecae 100644 --- a/dev/codeowners/testdata/CODEOWNERS-multiple-owners +++ b/dev/codeowners/testdata/CODEOWNERS-multiple-owners @@ -1,4 +1,5 @@ # This is a valid test file with multiple owners for a path /testdata/devexp @elastic/integrations @elastic/integrations-developer-experience +/testdata/devexp/manifest.yml @elastic/integrations /testdata/integration @elastic/integrations diff --git a/dev/codeowners/testdata/CODEOWNERS-valid b/dev/codeowners/testdata/CODEOWNERS-valid index ea4fd56d973..c755a2c130d 100644 --- a/dev/codeowners/testdata/CODEOWNERS-valid +++ b/dev/codeowners/testdata/CODEOWNERS-valid @@ -1,7 +1,7 @@ # This is a valid test file * @elastic/ecosystem -/testdata/* +/testdata/ /testdata/devexp @elastic/integrations-developer-experience /testdata/integration @elastic/integrations diff --git a/go.mod b/go.mod index c368fa0c756..c8e19e7138a 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.46.0 + github.com/elastic/elastic-package v0.47.0 github.com/elastic/package-registry v1.8.0 github.com/magefile/mage v1.13.0 github.com/pkg/errors v0.9.1 @@ -146,17 +146,17 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect - helm.sh/helm/v3 v3.8.1 // indirect + helm.sh/helm/v3 v3.8.2 // indirect howett.net/plist v0.0.0-20201203080718-1454fab16a06 // indirect - k8s.io/api v0.23.5 // indirect - k8s.io/apiextensions-apiserver v0.23.4 // indirect - k8s.io/apimachinery v0.23.5 // indirect - k8s.io/cli-runtime v0.23.5 // indirect - k8s.io/client-go v0.23.5 // indirect - k8s.io/component-base v0.23.4 // indirect + k8s.io/api v0.23.6 // indirect + k8s.io/apiextensions-apiserver v0.23.5 // indirect + k8s.io/apimachinery v0.23.6 // indirect + k8s.io/cli-runtime v0.23.6 // indirect + k8s.io/client-go v0.23.6 // indirect + k8s.io/component-base v0.23.5 // indirect k8s.io/klog/v2 v2.30.0 // indirect k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect - k8s.io/kubectl v0.23.4 // indirect + k8s.io/kubectl v0.23.5 // indirect k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect sigs.k8s.io/kustomize/api v0.10.1 // indirect diff --git a/go.sum b/go.sum index 89176c36a47..804bfb8ab06 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,5 @@ bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= +bazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -48,6 +49,7 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8/go.mod h1:CzsSbkDixRphAF5hS6wbMKq0eI6ccJRb7/A0M6JBnwg= github.com/AlecAivazis/survey/v2 v2.3.4 h1:pchTU9rsLUSvWEl2Aq9Pv3k0IE2fkqtGxazskAMd9Ng= github.com/AlecAivazis/survey/v2 v2.3.4/go.mod h1:hrV6Y/kQCLhIZXGcriDCUBtB3wnN7156gMXJ3+b23xM= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -90,7 +92,7 @@ github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/Masterminds/squirrel v1.5.2/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= -github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA= +github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= @@ -109,9 +111,10 @@ github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg3 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg= github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600= +github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= -github.com/Microsoft/hcsshim v0.9.1/go.mod h1:Y/0uV2jUab5kBI7SQgl62at0AVX7uaruzADAVmxm3eM= +github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= @@ -147,6 +150,7 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= +github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY9UnI16Z+UJqRyk= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= @@ -193,10 +197,12 @@ github.com/boumenot/gocover-cobertura v1.2.0/go.mod h1:fz7ly8dslE42VRR5ZWLt2OHGD github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= @@ -210,6 +216,7 @@ github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 h1:7aWHqerlJ41 github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5/go.mod h1:/iP1qXHoty45bqomnu2LM+VVyAEdWN+vtSHGlQgyxbw= github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -218,6 +225,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -249,12 +257,13 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= -github.com/containerd/cgroups v1.0.2/go.mod h1:qpbpJ1jmlqsR9f2IyaLPsdkCdnt0rbDVqIDlhuu5tRY= +github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= @@ -270,7 +279,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= -github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= +github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= +github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -278,6 +288,7 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= +github.com/containerd/continuity v0.2.2/go.mod h1:pWygW9u7LtS1o4N/Tn0FoCFDIXZ7rxcMX7HX1Dmibvk= github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= @@ -286,6 +297,8 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU= github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= +github.com/containerd/go-cni v1.1.0/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= +github.com/containerd/go-cni v1.1.3/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g= @@ -295,6 +308,7 @@ github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= +github.com/containerd/imgcrypt v1.1.3/go.mod h1:/TPA1GIDXMzbj01yd8pIbQiLdQxed5ue1wb8bP7PQu4= github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= @@ -317,16 +331,20 @@ github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNR github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtrBI6QcRV0NiNt15Y= github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= +github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE= github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= @@ -391,8 +409,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elastic/elastic-package v0.46.0 h1:mTuCbgtyct0GMomQUUyv7bGITkxW4vv0nZcWcnn2Nus= -github.com/elastic/elastic-package v0.46.0/go.mod h1:WXi1J8v6NRM1kZR3ErLeCoDYW1lfEaCQV3C9Lt9dMVw= +github.com/elastic/elastic-package v0.47.0 h1:b6l41apd7GvkH0wLYys5D+Vp2ljtLWKEmpButiN7Ags= +github.com/elastic/elastic-package v0.47.0/go.mod h1:8VkXZRhP6xS+yQYDPEOgrY7WsczjR8KoImxo46Gcf10= github.com/elastic/go-elasticsearch/v7 v7.17.1 h1:49mHcHx7lpCL8cW1aioEwSEVKQF3s+Igi4Ye/QTWwmk= github.com/elastic/go-elasticsearch/v7 v7.17.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= @@ -486,9 +504,13 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2 h1:ahHml/yUpnlb96Rp8HCvtYVPY8ZYpxq3g7UYchIYwbs= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.20.1 h1:j23mMDtRxMwIobkpId7sWh7Ddcx4ivaoqUbfXx5P+a8= @@ -519,6 +541,7 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw= github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= @@ -552,6 +575,7 @@ github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblf github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godror/godror v0.24.2/go.mod h1:wZv/9vPiUib6tkoDl+AZ/QLf5YZgMravZ7jxH2eQWAE= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= @@ -702,6 +726,7 @@ github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyN github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= @@ -713,6 +738,7 @@ github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iP github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= @@ -751,7 +777,9 @@ github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9FCCAVRQ= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= +github.com/j-keck/arping v1.0.2/go.mod h1:aJbELhR92bSk7tp79AWM/ftfc90EfEi2bQJrbBFOsPw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jcchavezs/porto v0.1.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6E9EZF4A= @@ -920,7 +948,9 @@ github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0Gq github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= +github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg= github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= +github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs= github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= @@ -949,8 +979,9 @@ github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249/go.mod h1:mpRZBD8SJ55 github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= github.com/nwaples/rardecode v1.1.2 h1:Cj0yZY6T1Zx1R7AhTbyGSALm44/Mmq+BAPc4B/p/d3M= github.com/nwaples/rardecode v1.1.2/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= -github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= @@ -966,8 +997,10 @@ github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= +github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -975,8 +1008,9 @@ github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= +github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU= +github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -984,6 +1018,7 @@ github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go. github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= @@ -991,6 +1026,7 @@ github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -1001,6 +1037,7 @@ github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mo github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= +github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -1048,6 +1085,7 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1079,13 +1117,16 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= +github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -1162,6 +1203,7 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= @@ -1174,9 +1216,11 @@ github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= @@ -1251,16 +1295,25 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0/go.mod h1:hO1KLR7jcKaDDKDkvI9dP/FIhpmna5lkqPUQdEjFAM8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0/go.mod h1:keUU7UfnwWTWpJ+FWnyqmogPa82nuU5VUANFq49hlMY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= +go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs= go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.starlark.net v0.0.0-20211203141949-70c0e40ae128 h1:bxH+EXOo87zEOwKDdZ8Tevgi6irRbqheRm/fr293c58= go.starlark.net v0.0.0-20211203141949-70c0e40ae128/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0= @@ -1269,8 +1322,9 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= @@ -1302,6 +1356,7 @@ golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -1408,7 +1463,9 @@ golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5o golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -1416,6 +1473,7 @@ golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d h1:62NvYBuaanGXR2ZOfwDFkhhl6X1DUgf8qg3GuQvxZsE= golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1532,6 +1590,7 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1544,6 +1603,7 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1558,6 +1618,8 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1565,12 +1627,14 @@ golang.org/x/sys v0.0.0-20211015200801-69063c4bb744/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= @@ -1661,6 +1725,7 @@ golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4X golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= @@ -1885,12 +1950,12 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -gotest.tools/gotestsum v1.7.0/go.mod h1:V1m4Jw3eBerhI/A6qCxUE07RnCg7ACkKj9BYcAm09V8= +gotest.tools/gotestsum v1.8.0/go.mod h1:ctqdxBSCPv80kAFjYvFNpPntBrE5HAQnLiOKBGLmOBs= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -helm.sh/helm/v3 v3.8.1 h1:J1EzhvtvKJRdx9skjUVe5xPN7KK2VA1mVxiQ9Ic5+oU= -helm.sh/helm/v3 v3.8.1/go.mod h1:Nm0Z2ciZFFvR9cRKpiRE2SMhJTgqY0b+ezT2cDcyqNw= +helm.sh/helm/v3 v3.8.2 h1:HDhe2nKek976VLMPZlIgJbNqwcqvHYBp1qy+sXQ4jiY= +helm.sh/helm/v3 v3.8.2/go.mod h1:NxtE2KObf2PrzDl6SIamPFPKyAqWi10iWuvKlQn/Yao= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1905,42 +1970,49 @@ howett.net/plist v0.0.0-20201203080718-1454fab16a06/go.mod h1:vMygbs4qMhSZSc4lCU k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= -k8s.io/api v0.23.4/go.mod h1:i77F4JfyNNrhOjZF7OwwNJS5Y1S9dpwvb9iYRYRczfI= -k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA= +k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs= k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= -k8s.io/apiextensions-apiserver v0.23.4 h1:AFDUEu/yEf0YnuZhqhIFhPLPhhcQQVuR1u3WCh0rveU= -k8s.io/apiextensions-apiserver v0.23.4/go.mod h1:TWYAKymJx7nLMxWCgWm2RYGXHrGlVZnxIlGnvtfYu+g= +k8s.io/api v0.23.6 h1:yOK34wbYECH4RsJbQ9sfkFK3O7f/DUHRlzFehkqZyVw= +k8s.io/api v0.23.6/go.mod h1:1kFaYxGCFHYp3qd6a85DAj/yW8aVD6XLZMqJclkoi9g= +k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= +k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= -k8s.io/apimachinery v0.23.4/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= -k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0= +k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U= k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= +k8s.io/apimachinery v0.23.6 h1:RH1UweWJkWNTlFx0D8uxOpaU1tjIOvVVWV/bu5b3/NQ= +k8s.io/apimachinery v0.23.6/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= -k8s.io/apiserver v0.23.4/go.mod h1:A6l/ZcNtxGfPSqbFDoxxOjEjSKBaQmE+UTveOmMkpNc= -k8s.io/cli-runtime v0.23.4/go.mod h1:7KywUNTUibmHPqmpDFuRO1kc9RhsufHv2lkjCm2YZyM= -k8s.io/cli-runtime v0.23.5 h1:Z7XUpGoJZYZB2uNjQfJjMbyDKyVkoBGye62Ap0sWQHY= +k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ= +k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= k8s.io/cli-runtime v0.23.5/go.mod h1:oY6QDF2qo9xndSq32tqcmRp2UyXssdGrLfjAVymgbx4= +k8s.io/cli-runtime v0.23.6 h1:zvsGa4An+udUnznKSfD1Q17sETWHNOaMqYKHwHCvg+4= +k8s.io/cli-runtime v0.23.6/go.mod h1:0Z3VR/HRIFKiLzKIAkm1mPtcH98GT/fXu2IU0E4vFmw= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= -k8s.io/client-go v0.23.4/go.mod h1:PKnIL4pqLuvYUK1WU7RLTMYKPiIh7MYShLshtRY9cj0= -k8s.io/client-go v0.23.5 h1:zUXHmEuqx0RY4+CsnkOn5l0GU+skkRXKGJrhmE2SLd8= +k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y= k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4= +k8s.io/client-go v0.23.6 h1:7h4SctDVQAQbkHQnR4Kzi7EyUyvla5G1pFWf4+Od7hQ= +k8s.io/client-go v0.23.6/go.mod h1:Umt5icFOMLV/+qbtZ3PR0D+JA6lvvb3syzodv4irpK4= k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= -k8s.io/code-generator v0.23.4/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= +k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= -k8s.io/component-base v0.23.4 h1:SziYh48+QKxK+ykJ3Ejqd98XdZIseVBG7sBaNLPqy6M= -k8s.io/component-base v0.23.4/go.mod h1:8o3Gg8i2vnUXGPOwciiYlkSaZT+p+7gA9Scoz8y4W4E= -k8s.io/component-helpers v0.23.4/go.mod h1:1Pl7L4zukZ054ElzRbvmZ1FJIU8roBXFOeRFu8zipa4= +k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI= +k8s.io/component-base v0.23.5 h1:8qgP5R6jG1BBSXmRYW+dsmitIrpk8F/fPEvgDenMCCE= +k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0= +k8s.io/component-helpers v0.23.5/go.mod h1:5riXJgjTIs+ZB8xnf5M2anZ8iQuq37a0B/0BgoPQuSM= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= +k8s.io/cri-api v0.23.1/go.mod h1:REJE3PSU0h/LOV1APBrupxrEJqnoxZC8KWzkBUHwrK4= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= @@ -1948,29 +2020,34 @@ k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= -k8s.io/kubectl v0.23.4 h1:mAa+zEOlyZieecEy+xSrhjkpMcukYyHWzcNdX28dzMY= -k8s.io/kubectl v0.23.4/go.mod h1:Dgb0Rvx/8JKS/C2EuvsNiQc6RZnX0SbHJVG3XUzH6ok= +k8s.io/kubectl v0.23.5 h1:DmDULqCaF4qstj0Im143XmncvqWtJxHzK8IrW2BzlU0= +k8s.io/kubectl v0.23.5/go.mod h1:lLgw7cVY8xbd7o637vOXPca/w6HC205KsPCRDYRCxwE= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/metrics v0.23.4/go.mod h1:cl6sY9BdVT3DubbpqnkPIKi6mn/F2ltkU4yH1tEJ3Bo= +k8s.io/metrics v0.23.5/go.mod h1:WNAtV2a5BYbmDS8+7jSqYYV6E3efuGTpIwJ8PTD1wgs= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 h1:ZKMMxTvduyf5WUtREOqg5LiXaN1KO/+0oOQPRFrClpo= k8s.io/utils v0.0.0-20211208161948-7d6a63dca704/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -oras.land/oras-go v1.1.0/go.mod h1:1A7vR/0KknT2UkJVWh+xMi95I/AhK8ZrxrnUSmXN0bQ= +oras.land/oras-go v1.1.1/go.mod h1:n2TE1ummt9MUyprGhT+Q7kGZUF4kVUpYysPFxeV2IpQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= @@ -1983,6 +2060,7 @@ sigs.k8s.io/kustomize/kyaml v0.13.0/go.mod h1:FTJxEZ86ScK184NpGSAQcfEqee0nul8oLC sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/packages/apache_spark/_dev/build/docs/README.md b/packages/apache_spark/_dev/build/docs/README.md index 460b8406e49..80ae3d767a4 100644 --- a/packages/apache_spark/_dev/build/docs/README.md +++ b/packages/apache_spark/_dev/build/docs/README.md @@ -1,4 +1,4 @@ -# Apache Spark +# Apache Spark Integration The Apache Spark integration collects and parses data using the Jolokia Metricbeat Module. @@ -63,6 +63,30 @@ Follow the same set of steps for Spark Worker, Driver and Executor. ## Metrics +### Application + +This is the `application` data stream. + +{{event "application"}} + +{{fields "application"}} + +### Driver + +This is the `driver` data stream. + +{{event "driver"}} + +{{fields "driver"}} + +### Executor + +This is the `executor` data stream. + +{{event "executor"}} + +{{fields "executor"}} + ### Nodes This is the `nodes` data stream. diff --git a/packages/apache_spark/_dev/deploy/docker/Dockerfile b/packages/apache_spark/_dev/deploy/docker/Dockerfile deleted file mode 100644 index 49b5d24740c..00000000000 --- a/packages/apache_spark/_dev/deploy/docker/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -ARG SERVICE_VERSION=${SERVICE_VERSION:-3.2.0} -FROM docker.io/bitnami/spark:${SERVICE_VERSION} - -ENV JOLOKIA_VERSION=1.6.0 -USER root - -COPY jolokia-configs /spark/conf/ -RUN mkdir /usr/share/java && \ - curl -o /usr/share/java/jolokia-agent.jar https://repo1.maven.org/maven2/org/jolokia/jolokia-jvm/$JOLOKIA_VERSION/jolokia-jvm-$JOLOKIA_VERSION-agent.jar && \ - echo 'export SPARK_MASTER_OPTS="$SPARK_MASTER_OPTS -javaagent:/usr/share/java/jolokia-agent.jar=config=/spark/conf/jolokia-master.properties"' >> "/opt/bitnami/spark/conf/spark-env.sh" - -RUN echo '*.sink.jmx.class=org.apache.spark.metrics.sink.JmxSink' >> "/opt/bitnami/spark/conf/metrics.properties" && \ - echo '*.source.jvm.class=org.apache.spark.metrics.source.JvmSource' >> "/opt/bitnami/spark/conf/metrics.properties" - -HEALTHCHECK --interval=1s --retries=90 CMD curl -f -s http://localhost:7777/jolokia/version diff --git a/packages/apache_spark/_dev/deploy/docker/application/wordcount.py b/packages/apache_spark/_dev/deploy/docker/application/wordcount.py new file mode 100644 index 00000000000..b3fee0f48c1 --- /dev/null +++ b/packages/apache_spark/_dev/deploy/docker/application/wordcount.py @@ -0,0 +1,44 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +import sys +import signal +import time + +from operator import add +from datetime import datetime + +from pyspark.sql import SparkSession + +if __name__ == "__main__": + if len(sys.argv) != 3: + print("Usage: wordcount ", file=sys.stderr) + sys.exit(-1) + + spark = SparkSession.builder.master(sys.argv[2]).appName("PythonWordCount").getOrCreate() + + t_end = time.time() + 60 * 15 + + # Run loop for 15 mins + while time.time() < t_end: + lines = spark.read.text(sys.argv[1]).rdd.map(lambda r: r[0]) + counts = lines.flatMap(lambda x: x.split(" ")).map(lambda x: (x, 1)).reduceByKey(add) + output = counts.collect() + for (word, count) in output: + print("%s: %i" % (word, count)) + + spark.stop() diff --git a/packages/apache_spark/_dev/deploy/docker/docker-compose.yml b/packages/apache_spark/_dev/deploy/docker/docker-compose.yml index 50d2e581018..9e901468298 100644 --- a/packages/apache_spark/_dev/deploy/docker/docker-compose.yml +++ b/packages/apache_spark/_dev/deploy/docker/docker-compose.yml @@ -1,9 +1,28 @@ -version: '2' +version: '2.3' services: apache_spark: hostname: apache-spark-main - build: - context: . - dockerfile: Dockerfile + image: docker.io/bitnami/spark@sha256:cb19b1bdebc0bc9dc20ea13f2109763be6a73b357b144a01efd94902540f6d27 ports: - 7777 + - 7779 + - 7780 + environment: + - SPARK_MAIN_URL=spark://apache-spark-main:7077 + - SPARK_WORKER_MEMORY=1024G + - SPARK_WORKER_CORES=8 + - SPARK_RPC_AUTHENTICATION_ENABLED=no + - SPARK_RPC_ENCRYPTION_ENABLED=no + - SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no + volumes: + - ./jolokia-agent:/usr/share/java/ + - ./application:/opt/bitnami/spark/examples/src/main/python/ + - ./jolokia-configs:/spark/conf/ + - ./docker-entrypoint/docker-entrypoint.sh:/opt/bitnami/scripts/spark/docker-entrypoint.sh + healthcheck: + interval: 1s + retries: 120 + timeout: 120s + test: |- + curl -f -s http://localhost:7777/jolokia/version -o /dev/null + entrypoint: /opt/bitnami/scripts/spark/docker-entrypoint.sh /opt/bitnami/scripts/spark/run.sh diff --git a/packages/apache_spark/_dev/deploy/docker/docker-entrypoint/docker-entrypoint.sh b/packages/apache_spark/_dev/deploy/docker/docker-entrypoint/docker-entrypoint.sh new file mode 100755 index 00000000000..ff8afc7756e --- /dev/null +++ b/packages/apache_spark/_dev/deploy/docker/docker-entrypoint/docker-entrypoint.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +echo 'export SPARK_MASTER_OPTS="$SPARK_MASTER_OPTS -javaagent:/usr/share/java/jolokia-agent.jar=config=/spark/conf/jolokia-master.properties"' >> "/opt/bitnami/spark/conf/spark-env.sh" +echo 'export SPARK_WORKER_OPTS="$SPARK_WORKER_OPTS -javaagent:/usr/share/java/jolokia-agent.jar=config=/spark/conf/jolokia-worker.properties"' >> "/opt/bitnami/spark/conf/spark-env.sh" + +echo '*.sink.jmx.class=org.apache.spark.metrics.sink.JmxSink' >> "/opt/bitnami/spark/conf/metrics.properties" +echo '*.source.jvm.class=org.apache.spark.metrics.source.JvmSource' >> "/opt/bitnami/spark/conf/metrics.properties" + +echo 'spark.driver.extraJavaOptions -javaagent:/usr/share/java/jolokia-agent.jar=config=/spark/conf/jolokia-driver.properties' >> "/opt/bitnami/spark/conf/spark-defaults.conf" +echo 'spark.executor.extraJavaOptions -javaagent:/usr/share/java/jolokia-agent.jar=config=/spark/conf/jolokia-executor.properties' >> "/opt/bitnami/spark/conf/spark-defaults.conf" + +# shellcheck disable=SC1091 + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace + +# Load libraries +. /opt/bitnami/scripts/libbitnami.sh +. /opt/bitnami/scripts/libspark.sh + +# Load Spark environment variables +eval "$(spark_env)" + +print_welcome_page + +if [ ! $EUID -eq 0 ] && [ -e "$LIBNSS_WRAPPER_PATH" ]; then + echo "spark:x:$(id -u):$(id -g):Spark:$SPARK_HOME:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "spark:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + echo "LD_PRELOAD=$LIBNSS_WRAPPER_PATH" >> "$SPARK_CONFDIR/spark-env.sh" +fi + +if [[ "$1" = "/opt/bitnami/scripts/spark/run.sh" ]]; then + info "** Starting Spark setup **" + /opt/bitnami/scripts/spark/setup.sh + info "** Spark setup finished! **" +fi + +eval "$(spark_env)" +cd /opt/bitnami/spark/sbin +./start-worker.sh $SPARK_MAIN_URL --cores $SPARK_WORKER_CORES --memory $SPARK_WORKER_MEMORY & +cd /opt/bitnami/spark/examples/src/main/python/ +/opt/bitnami/spark/bin/spark-submit wordcount.py wordcount.py $SPARK_MAIN_URL & + +echo "" +exec "$@" diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-agent/jolokia-agent.jar b/packages/apache_spark/_dev/deploy/docker/jolokia-agent/jolokia-agent.jar new file mode 100644 index 00000000000..45067065da3 Binary files /dev/null and b/packages/apache_spark/_dev/deploy/docker/jolokia-agent/jolokia-agent.jar differ diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/bigdata.ini b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/bigdata.ini index b40173c1e37..051a1e2cb78 100644 --- a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/bigdata.ini +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/bigdata.ini @@ -1,2 +1,4 @@ -[Spark-Master] -stats: http://127.0.0.1:7777/jolokia/read \ No newline at end of file +[Spark-Master] +stats: http://127.0.0.1:7777/jolokia/read +[Spark-Worker] +stats: http://127.0.0.1:7778/jolokia/read \ No newline at end of file diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-driver.properties b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-driver.properties new file mode 100644 index 00000000000..1890ea8439d --- /dev/null +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-driver.properties @@ -0,0 +1,12 @@ +host=0.0.0.0 +port=7779 +agentContext=/jolokia +backlog=100 + +policyLocation=file:///spark/conf/jolokia.policy +historyMaxEntries=10 +debug=false +debugMaxEntries=100 +maxDepth=15 +maxCollectionSize=1000 +maxObjects=0 diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-executor.properties b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-executor.properties new file mode 100644 index 00000000000..cd8fbe95bee --- /dev/null +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-executor.properties @@ -0,0 +1,12 @@ +host=0.0.0.0 +port=7780 +agentContext=/jolokia +backlog=100 + +policyLocation=file:///spark/conf/jolokia.policy +historyMaxEntries=10 +debug=false +debugMaxEntries=100 +maxDepth=15 +maxCollectionSize=1000 +maxObjects=0 diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-master.properties b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-master.properties index 1a57647fb0c..fcbd199a726 100644 --- a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-master.properties +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-master.properties @@ -1,12 +1,12 @@ -host=0.0.0.0 -port=7777 -agentContext=/jolokia -backlog=100 - -policyLocation=file:///spark/conf/jolokia.policy -historyMaxEntries=10 -debug=false -debugMaxEntries=100 -maxDepth=15 -maxCollectionSize=1000 -maxObjects=0 +host=0.0.0.0 +port=7777 +agentContext=/jolokia +backlog=100 + +policyLocation=file:///spark/conf/jolokia.policy +historyMaxEntries=10 +debug=false +debugMaxEntries=100 +maxDepth=15 +maxCollectionSize=1000 +maxObjects=0 diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-worker.properties b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-worker.properties new file mode 100644 index 00000000000..e9caaa40f4e --- /dev/null +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia-worker.properties @@ -0,0 +1,12 @@ +host=0.0.0.0 +port=7778 +agentContext=/jolokia +backlog=100 + +policyLocation=file:///spark/conf/jolokia.policy +historyMaxEntries=10 +debug=false +debugMaxEntries=100 +maxDepth=15 +maxCollectionSize=1000 +maxObjects=0 diff --git a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia.policy b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia.policy index 09f58157be5..9621d60c71b 100644 --- a/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia.policy +++ b/packages/apache_spark/_dev/deploy/docker/jolokia-configs/jolokia.policy @@ -1,13 +1,13 @@ - - - - get - post - - - read - list - search - version - - + + + + get + post + + + read + list + search + version + + diff --git a/packages/apache_spark/changelog.yml b/packages/apache_spark/changelog.yml index c9e854e0a60..15bbfa0a8a6 100644 --- a/packages/apache_spark/changelog.yml +++ b/packages/apache_spark/changelog.yml @@ -2,6 +2,15 @@ - version: "0.1.0" changes: + - description: Implement "executor" data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2943 + - description: Implement "driver" data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2945 + - description: Implement "application" data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2941 - description: Implement "nodes" data stream type: enhancement link: https://github.com/elastic/integrations/pull/2939 diff --git a/packages/apache_spark/data_stream/application/_dev/test/system/test-metric-config.yml b/packages/apache_spark/data_stream/application/_dev/test/system/test-metric-config.yml new file mode 100644 index 00000000000..27fa09dcfab --- /dev/null +++ b/packages/apache_spark/data_stream/application/_dev/test/system/test-metric-config.yml @@ -0,0 +1,7 @@ +vars: ~ +data_stream: + vars: + hosts: + - http://apache-spark-main:{{Ports.[0]}} + path: + - /jolokia/?ignoreErrors=true&canonicalNaming=false diff --git a/packages/apache_spark/data_stream/application/agent/stream/stream.yml.hbs b/packages/apache_spark/data_stream/application/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..a09d571dde6 --- /dev/null +++ b/packages/apache_spark/data_stream/application/agent/stream/stream.yml.hbs @@ -0,0 +1,21 @@ +metricsets: ["jmx"] +namespace: "metrics" +hosts: +{{#each hosts}} + - {{this}} +{{/each}} +path: {{path}} +period: {{period}} +jmx.mappings: + - mbean: 'metrics:name=application.*.runtime_ms,type=gauges' + attributes: + - attr: Value + field: application.runtime.ms + - mbean: 'metrics:name=application.*.cores,type=gauges' + attributes: + - attr: Value + field: application.cores + - mbean: 'metrics:name=application.*.status,type=gauges' + attributes: + - attr: Value + field: application.status diff --git a/packages/apache_spark/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/apache_spark/data_stream/application/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..cf0f7721950 --- /dev/null +++ b/packages/apache_spark/data_stream/application/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,39 @@ +--- +description: Pipeline for parsing Apache Spark application metrics. +processors: + - set: + field: ecs.version + value: '8.1.0' + - rename: + field: jolokia.metrics + target_field: apache_spark + ignore_missing: true + - set: + field: event.type + value: info + - set: + field: event.kind + value: metric + - set: + field: event.module + value: apache_spark + - script: + lang: painless + description: This script will add the name of application under key 'application.name' + if: ctx?.apache_spark?.mbean?.contains("name=application") == true + source: >- + def bean_name = ctx.apache_spark.mbean.toString().splitOnToken("."); + def app_name = ""; + if (bean_name[0].contains("name=application") == true) { + app_name = bean_name[1] + "." + bean_name[2]; + } + ctx.apache_spark.application.name = app_name; + - remove: + field: + - apache_spark.mbean + - jolokia + ignore_failure: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/apache_spark/data_stream/application/fields/base-fields.yml b/packages/apache_spark/data_stream/application/fields/base-fields.yml new file mode 100644 index 00000000000..e36d466bdd1 --- /dev/null +++ b/packages/apache_spark/data_stream/application/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/apache_spark/data_stream/application/fields/ecs.yml b/packages/apache_spark/data_stream/application/fields/ecs.yml new file mode 100644 index 00000000000..ded177ab1a7 --- /dev/null +++ b/packages/apache_spark/data_stream/application/fields/ecs.yml @@ -0,0 +1,12 @@ +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: ecs.version +- external: ecs + name: tags +- external: ecs + name: service.address +- external: ecs + name: service.type diff --git a/packages/apache_spark/data_stream/application/fields/fields.yml b/packages/apache_spark/data_stream/application/fields/fields.yml new file mode 100644 index 00000000000..f9eca40b877 --- /dev/null +++ b/packages/apache_spark/data_stream/application/fields/fields.yml @@ -0,0 +1,22 @@ +- name: apache_spark + type: group + fields: + - name: application + type: group + fields: + - name: cores + type: long + description: | + Number of cores. + - name: name + type: keyword + description: | + Name of the application. + - name: runtime.ms + type: long + description: | + Time taken to run the application (ms). + - name: status + type: keyword + description: | + Current status of the application. diff --git a/packages/apache_spark/data_stream/application/manifest.yml b/packages/apache_spark/data_stream/application/manifest.yml new file mode 100644 index 00000000000..ee79a4eb2a6 --- /dev/null +++ b/packages/apache_spark/data_stream/application/manifest.yml @@ -0,0 +1,30 @@ +title: Apache Spark application metrics +type: metrics +streams: + - input: jolokia/metrics + title: Apache Spark application metrics + description: Collect Apache Spark application metrics using Jolokia agent. + vars: + - name: hosts + type: text + title: Hosts + multi: true + description: | + Full hosts for the Jolokia for Apache Spark (https://spark_main:jolokia_port). + required: true + show_user: true + - name: path + type: text + title: Path + multi: false + required: true + show_user: false + default: /jolokia/?ignoreErrors=true&canonicalNaming=false + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 60s + template_path: "stream.yml.hbs" diff --git a/packages/apache_spark/data_stream/application/sample_event.json b/packages/apache_spark/data_stream/application/sample_event.json new file mode 100644 index 00000000000..206796cf423 --- /dev/null +++ b/packages/apache_spark/data_stream/application/sample_event.json @@ -0,0 +1,69 @@ +{ + "@timestamp": "2022-04-11T09:45:08.887Z", + "agent": { + "ephemeral_id": "fd3ce7d1-e237-45c7-88f9-875edafec41e", + "id": "e7990c69-6909-48d1-be06-89dbe36d302c", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "application": { + "name": "PythonWordCount.1649670292906", + "runtime": { + "ms": 16007 + } + } + }, + "data_stream": { + "dataset": "apache_spark.application", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "e7990c69-6909-48d1-be06-89dbe36d302c", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.application", + "duration": 21401735, + "ingested": "2022-04-11T09:45:12Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.0.5" + ], + "mac": [ + "02:42:c0:a8:00:05" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-107-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7777/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} \ No newline at end of file diff --git a/packages/apache_spark/data_stream/driver/_dev/test/system/test-metric-config.yml b/packages/apache_spark/data_stream/driver/_dev/test/system/test-metric-config.yml new file mode 100644 index 00000000000..116c8e5e704 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/_dev/test/system/test-metric-config.yml @@ -0,0 +1,7 @@ +vars: ~ +data_stream: + vars: + hosts: + - http://apache-spark-main:{{Ports.[1]}} + path: + - /jolokia/?ignoreErrors=true&canonicalNaming=false diff --git a/packages/apache_spark/data_stream/driver/agent/stream/stream.yml.hbs b/packages/apache_spark/data_stream/driver/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..9d8a2fe3a75 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/agent/stream/stream.yml.hbs @@ -0,0 +1,289 @@ +metricsets: ["jmx"] +namespace: "metrics" +hosts: +{{#each hosts}} + - {{this}} +{{/each}} +path: {{path}} +period: {{period}} +jmx.mappings: + - mbean: 'metrics:name=*.driver.appStatus.jobDuration,type=gauges' + attributes: + - attr: Value + field: driver.job_duration + - mbean: 'metrics:name=*.driver.appStatus.jobs.failedJobs,type=counters' + attributes: + - attr: Count + field: driver.jobs.failed + - mbean: 'metrics:name=*.driver.appStatus.jobs.succeededJobs,type=counters' + attributes: + - attr: Count + field: driver.jobs.succeeded + - mbean: 'metrics:name=*.driver.appStatus.stages.completedStages,type=counters' + attributes: + - attr: Count + field: driver.stages.completed_count + - mbean: 'metrics:name=*.driver.appStatus.stages.failedStages,type=counters' + attributes: + - attr: Count + field: driver.stages.failed_count + - mbean: 'metrics:name=*.driver.appStatus.stages.skippedStages,type=counters' + attributes: + - attr: Count + field: driver.stages.skipped_count + - mbean: 'metrics:name=*.driver.appStatus.tasks.blackListedExecutors,type=counters' + attributes: + - attr: Count + field: driver.tasks.executors.black_listed + - mbean: 'metrics:name=*.driver.appStatus.tasks.completedTasks,type=counters' + attributes: + - attr: Count + field: driver.tasks.completed + - mbean: 'metrics:name=*.driver.appStatus.tasks.excludedExecutors,type=counters' + attributes: + - attr: Count + field: driver.tasks.executors.excluded + - mbean: 'metrics:name=*.driver.appStatus.tasks.failedTasks,type=counters' + attributes: + - attr: Count + field: driver.tasks.failed + - mbean: 'metrics:name=*.driver.appStatus.tasks.killedTasks,type=counters' + attributes: + - attr: Count + field: driver.tasks.killed + - mbean: 'metrics:name=*.driver.appStatus.tasks.skippedTasks,type=counters' + attributes: + - attr: Count + field: driver.tasks.skipped + - mbean: 'metrics:name=*.driver.appStatus.tasks.unblackListedExecutors,type=counters' + attributes: + - attr: Count + field: driver.tasks.executors.unblack_listed + - mbean: 'metrics:name=*.driver.appStatus.tasks.unexcludedExecutors,type=counters' + attributes: + - attr: Count + field: driver.tasks.executors.unexcluded + - mbean: 'metrics:name=*.driver.BlockManager.disk.diskSpaceUsed_MB,type=gauges' + attributes: + - attr: Value + field: driver.disk.space_used + - mbean: 'metrics:name=*.driver.BlockManager.memory.maxMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.max_mem + - mbean: 'metrics:name=*.driver.BlockManager.memory.maxOffHeapMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.off_heap.max + - mbean: 'metrics:name=*.driver.BlockManager.memory.maxOnHeapMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.on_heap.max + - mbean: 'metrics:name=*.driver.BlockManager.memory.memUsed_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.used + - mbean: 'metrics:name=*.driver.BlockManager.memory.offHeapMemUsed_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.off_heap.used + - mbean: 'metrics:name=*.driver.BlockManager.memory.onHeapMemUsed_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.on_heap.used + - mbean: 'metrics:name=*.driver.BlockManager.memory.remainingMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.remaining + - mbean: 'metrics:name=*.driver.BlockManager.memory.remainingOffHeapMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.off_heap.remaining + - mbean: 'metrics:name=*.driver.BlockManager.memory.remainingOnHeapMem_MB,type=gauges' + attributes: + - attr: Value + field: driver.memory.on_heap.remaining + - mbean: 'metrics:name=*.driver.DAGScheduler.job.activeJobs,type=gauges' + attributes: + - attr: Value + field: driver.dag_scheduler.job.active + - mbean: 'metrics:name=*.driver.DAGScheduler.job.allJobs,type=gauges' + attributes: + - attr: Value + field: driver.dag_scheduler.job.all + - mbean: 'metrics:name=*.driver.DAGScheduler.stage.failedStages,type=gauges' + attributes: + - attr: Value + field: driver.dag_scheduler.stages.failed + - mbean: 'metrics:name=*.driver.DAGScheduler.stage.runningStages,type=gauges' + attributes: + - attr: Value + field: driver.dag_scheduler.stages.running + - mbean: 'metrics:name=*.driver.DAGScheduler.stage.waitingStages,type=gauges' + attributes: + - attr: Value + field: driver.dag_scheduler.stages.waiting + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberAllExecutors,type=gauges' + attributes: + - attr: Value + field: driver.executors.all + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsDecommissionUnfinished,type=counters' + attributes: + - attr: Count + field: driver.executors.decommission_unfinished + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsExitedUnexpectedly,type=counters' + attributes: + - attr: Count + field: driver.executors.exited_unexpectedly + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsGracefullyDecommissioned,type=counters' + attributes: + - attr: Count + field: driver.executors.gracefully_decommissioned + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsKilledByDriver,type=counters' + attributes: + - attr: Count + field: driver.executors.killed_by_driver + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsPendingToRemove,type=gauges' + attributes: + - attr: Value + field: driver.executors.pending_to_remove + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberExecutorsToAdd,type=gauges' + attributes: + - attr: Value + field: driver.executors.to_add + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberMaxNeededExecutors,type=gauges' + attributes: + - attr: Value + field: driver.executors.max_needed + - mbean: 'metrics:name=*.driver.ExecutorAllocationManager.executors.numberTargetExecutors,type=gauges' + attributes: + - attr: Value + field: driver.executors.target + - mbean: 'metrics:name=*.driver.ExecutorMetrics.DirectPoolMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.memory.direct_pool + - mbean: 'metrics:name=*.driver.ExecutorMetrics.JVMHeapMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.memory.jvm.heap + - mbean: 'metrics:name=*.driver.ExecutorMetrics.JVMOffHeapMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.memory.jvm.off_heap + - mbean: 'metrics:name=*.driver.ExecutorMetrics.MappedPoolMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.memory.mapped_pool + - mbean: 'metrics:name=*.driver.ExecutorMetrics.MajorGCCount,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.gc.major.count + - mbean: 'metrics:name=*.driver.ExecutorMetrics.MajorGCTime,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.gc.major.time + - mbean: 'metrics:name=*.driver.ExecutorMetrics.MinorGCCount,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.gc.minor.count + - mbean: 'metrics:name=*.driver.ExecutorMetrics.MinorGCTime,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.gc.minor.time + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OffHeapExecutionMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.off.execution + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OffHeapStorageMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.off.storage + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OffHeapUnifiedMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.off.unified + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OnHeapExecutionMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.on.execution + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OnHeapStorageMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.on.storage + - mbean: 'metrics:name=*.driver.ExecutorMetrics.OnHeapUnifiedMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.heap_memory.on.unified + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreeJVMRSSMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.jvm.rss_memory + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreeJVMVMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.jvm.v_memory + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreeOtherRSSMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.other.rss_memory + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreeOtherVMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.other.v_memory + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreePythonRSSMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.python.rss_memory + - mbean: 'metrics:name=*.driver.ExecutorMetrics.ProcessTreePythonVMemory,type=gauges' + attributes: + - attr: Value + field: driver.executor_metrics.process_tree.python.v_memory + - mbean: 'metrics:name=*.driver.HiveExternalCatalog.fileCacheHits,type=counters' + attributes: + - attr: Count + field: driver.hive_external_catalog.file_cache_hits + - mbean: 'metrics:name=*.driver.HiveExternalCatalog.filesDiscovered,type=counters' + attributes: + - attr: Count + field: driver.hive_external_catalog.files_discovered + - mbean: 'metrics:name=*.driver.HiveExternalCatalog.hiveClientCalls,type=counters' + attributes: + - attr: Count + field: driver.hive_external_catalog.hive_client_calls + - mbean: 'metrics:name=*.driver.HiveExternalCatalog.parallelListingJobCount,type=counters' + attributes: + - attr: Count + field: driver.hive_external_catalog.parallel_listing_job.count + - mbean: 'metrics:name=*.driver.HiveExternalCatalog.partitionsFetched,type=counters' + attributes: + - attr: Count + field: driver.hive_external_catalog.partitions_fetched + - mbean: 'metrics:name=*.driver.JVMCPU.jvmCpuTime,type=gauges' + attributes: + - attr: Value + field: driver.jvm.cpu.time + - mbean: 'metrics:name=*.driver.spark.streaming.*.states-rowsTotal,type=gauges' + attributes: + - attr: Value + field: driver.spark.streaming.states.rows.total + - mbean: 'metrics:name=*.driver.spark.streaming.*.processingRate-total,type=gauges' + attributes: + - attr: Value + field: driver.spark.streaming.processing_rate.total + - mbean: 'metrics:name=*.driver.spark.streaming.*.latency,type=gauges' + attributes: + - attr: Value + field: driver.spark.streaming.latency + - mbean: 'metrics:name=*.driver.spark.streaming.*.states-usedBytes,type=gauges' + attributes: + - attr: Value + field: driver.spark.streaming.states.used_bytes + - mbean: 'metrics:name=*.driver.spark.streaming.*.eventTime-watermark,type=gauges' + attributes: + - attr: Value + field: driver.spark.streaming.event_time.watermark + - mbean: 'metrics:name=*.driver.spark.streaming.*.inputRate-total,type=gauge' + attributes: + - attr: Value + field: driver.spark.streaming.input_rate.total diff --git a/packages/apache_spark/data_stream/driver/elasticsearch/ingest_pipeline/default.yml b/packages/apache_spark/data_stream/driver/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..d01ba2d1a43 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,44 @@ +--- +description: Pipeline for parsing Apache Spark driver metrics. +processors: + - set: + field: ecs.version + value: '8.1.0' + - rename: + field: jolokia.metrics + target_field: apache_spark + ignore_missing: true + - set: + field: event.type + value: info + - set: + field: event.kind + value: metric + - set: + field: event.module + value: apache_spark + - script: + lang: painless + description: This script will add the name of application under key 'driver/executor.application_name' and executor id under 'apache_spark.executor.id' + if: ctx?.apache_spark?.mbean?.contains("name=worker.") == false && + ctx?.apache_spark?.mbean?.contains("name=worker.") == false && + ctx?.apache_spark?.mbean?.contains("name=application.") == false + source: >- + def bean_name = ctx.apache_spark.mbean.toString().splitOnToken("=")[1]; + def app_name = bean_name.splitOnToken(".")[0]; + def executor_id = bean_name.splitOnToken(".")[1]; + if (executor_id == "driver") { + ctx.apache_spark.driver.application_name = app_name; + } else { + ctx.apache_spark.executors.application_name = app_name; + ctx.apache_spark.executors.id = executor_id; + } + - remove: + field: + - apache_spark.mbean + - jolokia + ignore_failure: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/apache_spark/data_stream/driver/fields/base-fields.yml b/packages/apache_spark/data_stream/driver/fields/base-fields.yml new file mode 100644 index 00000000000..e36d466bdd1 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/apache_spark/data_stream/driver/fields/ecs.yml b/packages/apache_spark/data_stream/driver/fields/ecs.yml new file mode 100644 index 00000000000..ded177ab1a7 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/fields/ecs.yml @@ -0,0 +1,12 @@ +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: ecs.version +- external: ecs + name: tags +- external: ecs + name: service.address +- external: ecs + name: service.type diff --git a/packages/apache_spark/data_stream/driver/fields/fields.yml b/packages/apache_spark/data_stream/driver/fields/fields.yml new file mode 100644 index 00000000000..68c6737c7c6 --- /dev/null +++ b/packages/apache_spark/data_stream/driver/fields/fields.yml @@ -0,0 +1,294 @@ +- name: apache_spark + type: group + fields: + - name: driver + type: group + fields: + - name: application_name + type: keyword + description: Name of the application. + - name: job_duration + type: long + description: Duration of the job. + - name: jobs + type: group + fields: + - name: failed + type: long + description: Number of failed jobs. + - name: succeeded + type: long + description: Number of successful jobs. + - name: stages + type: group + fields: + - name: completed_count + type: long + description: Total number of completed stages. + - name: failed_count + type: long + description: Total number of failed stages. + - name: skipped_count + type: long + description: Total number of skipped stages. + - name: tasks + type: group + fields: + - name: completed + type: long + description: Number of completed tasks. + - name: executors + type: group + fields: + - name: black_listed + type: long + description: Number of blacklisted executors for the tasks. + - name: excluded + type: long + description: Number of excluded executors for the tasks. + - name: unblack_listed + type: long + description: Number of unblacklisted executors for the tasks. + - name: unexcluded + type: long + description: Number of unexcluded executors for the tasks. + - name: failed + type: long + description: Number of failed tasks. + - name: killed + type: long + description: Number of killed tasks. + - name: skipped + type: long + description: Number of skipped tasks. + - name: disk.space_used + type: long + description: Amount of the disk space utilized in MB. + - name: memory + type: group + fields: + - name: max_mem + type: long + description: Maximum amount of memory available for storage, in MB. + - name: off_heap + type: group + fields: + - name: max + type: long + description: Maximum amount of off heap memory available, in MB. + - name: used + type: long + description: Total amount of off heap memory used, in MB. + - name: remaining + type: long + description: Remaining amount of off heap memory, in MB. + - name: on_heap + type: group + fields: + - name: max + type: long + description: Maximum amount of on heap memory available, in MB. + - name: used + type: long + description: Total amount of on heap memory used, in MB. + - name: remaining + type: long + description: Remaining amount of on heap memory, in MB. + - name: used + type: long + description: Total amount of memory used for storage, in MB. + - name: remaining + type: long + description: Remaining amount of storage memory, in MB. + - name: dag_scheduler + type: group + fields: + - name: job + type: group + fields: + - name: active + type: long + description: Number of active jobs. + - name: all + type: long + description: Total number of jobs. + - name: stages + type: group + fields: + - name: failed + type: long + description: Number of failed stages. + - name: running + type: long + description: Number of running stages. + - name: waiting + type: long + description: Number of waiting stages + - name: executors + type: group + fields: + - name: all + type: long + description: Total number of executors. + - name: decommission_unfinished + type: long + description: Total number of decommissioned unfinished executors. + - name: exited_unexpectedly + type: long + description: Total number of executors exited unexpectedly. + - name: gracefully_decommissioned + type: long + description: Total number of executors gracefully decommissioned. + - name: killed_by_driver + type: long + description: Total number of executors killed by driver. + - name: pending_to_remove + type: long + description: Total number of executors pending to be removed. + - name: to_add + type: long + description: Total number of executors to be added. + - name: max_needed + type: long + description: Maximum number of executors needed. + - name: target + type: long + description: Total number of target executors. + - name: executor_metrics + type: group + fields: + - name: memory + type: group + fields: + - name: direct_pool + type: long + description: Peak memory that the JVM is using for direct buffer pool. + - name: jvm + type: group + fields: + - name: heap + type: long + description: Peak memory usage of the heap that is used for object allocation. + - name: off_heap + type: long + description: Peak memory usage of non-heap memory that is used by the Java virtual machine. + - name: mapped_pool + type: long + description: Peak memory that the JVM is using for mapped buffer pool + - name: gc + type: group + fields: + - name: major + type: group + fields: + - name: count + type: long + description: Total major GC count. For example, the garbage collector is one of MarkSweepCompact, PS MarkSweep, ConcurrentMarkSweep, G1 Old Generation and so on. + - name: time + type: long + description: Elapsed total major GC time. The value is expressed in milliseconds. + - name: minor + type: group + fields: + - name: count + type: long + description: Total minor GC count. For example, the garbage collector is one of Copy, PS Scavenge, ParNew, G1 Young Generation and so on. + - name: time + type: long + description: Elapsed total minor GC time. The value is expressed in milliseconds. + - name: heap_memory + type: group + fields: + - name: 'off' + type: group + fields: + - name: execution + type: long + description: Peak off heap execution memory in use, in bytes. + - name: storage + type: long + description: Peak off heap storage memory in use, in bytes. + - name: unified + type: long + description: Peak off heap memory (execution and storage). + - name: 'on' + type: group + fields: + - name: execution + type: long + description: Peak on heap execution memory in use, in bytes. + - name: storage + type: long + description: Peak on heap storage memory in use, in bytes. + - name: unified + type: long + description: Peak on heap memory (execution and storage). + - name: process_tree + type: group + fields: + - name: jvm + type: group + fields: + - name: rss_memory + type: long + description: 'Resident Set Size: number of pages the process has in real memory. This is just the pages which count toward text, data, or stack space. This does not include pages which have not been demand-loaded in, or which are swapped out.' + - name: v_memory + type: long + description: Virtual memory size in bytes. + - name: other + type: group + fields: + - name: rss_memory + type: long + - name: v_memory + type: long + - name: python + type: group + fields: + - name: rss_memory + type: long + - name: v_memory + type: long + - name: hive_external_catalog + type: group + fields: + - name: file_cache_hits + type: long + description: Total number of file cache hits. + - name: files_discovered + type: long + description: Total number of files discovered. + - name: hive_client_calls + type: long + description: Total number of Hive Client calls. + - name: parallel_listing_job.count + type: long + description: Number of jobs running parallely. + - name: partitions_fetched + type: long + description: Number of partitions fetched. + - name: jvm.cpu.time + type: long + description: Elapsed CPU time the JVM spent. + - name: spark.streaming + type: group + fields: + - name: states + type: group + fields: + - name: rows.total + type: long + description: Total number of rows. + - name: used_bytes + type: long + description: Total number of bytes utilized. + - name: processing_rate.total + type: double + description: Total rate of processing. + - name: latency + type: long + - name: event_time.watermark + type: long + - name: input_rate.total + type: double + description: Total rate of the input. diff --git a/packages/apache_spark/data_stream/driver/manifest.yml b/packages/apache_spark/data_stream/driver/manifest.yml new file mode 100644 index 00000000000..fbf713d0fcd --- /dev/null +++ b/packages/apache_spark/data_stream/driver/manifest.yml @@ -0,0 +1,30 @@ +title: Apache Spark driver metrics +type: metrics +streams: + - input: jolokia/metrics + title: Apache Spark driver metrics + description: Collect Apache Spark driver metrics using Jolokia agent. + vars: + - name: hosts + type: text + title: Hosts + multi: true + description: | + Full hosts for the Jolokia for Apache Spark (https://spark_main:jolokia_port). + required: true + show_user: true + - name: path + type: text + title: Path + multi: false + required: true + show_user: false + default: /jolokia/?ignoreErrors=true&canonicalNaming=false + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 60s + template_path: "stream.yml.hbs" diff --git a/packages/apache_spark/data_stream/driver/sample_event.json b/packages/apache_spark/data_stream/driver/sample_event.json new file mode 100644 index 00000000000..4cc75a71b6f --- /dev/null +++ b/packages/apache_spark/data_stream/driver/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2022-04-06T09:28:29.830Z", + "agent": { + "ephemeral_id": "0136f072-d8da-429f-92f9-310435dbeb07", + "id": "b92a6ed6-a92c-4064-9b78-b3b21cab191c", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "driver": { + "application_name": "app-20220406092805-0000", + "executor_metrics": { + "memory": { + "jvm": { + "heap": 288770488 + } + } + } + } + }, + "data_stream": { + "dataset": "apache_spark.driver", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "b92a6ed6-a92c-4064-9b78-b3b21cab191c", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.driver", + "duration": 51414715, + "ingested": "2022-04-06T09:28:33Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.80.7" + ], + "mac": [ + "02:42:c0:a8:50:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-100-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7779/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} \ No newline at end of file diff --git a/packages/apache_spark/data_stream/executor/_dev/test/system/test-metric-config.yml b/packages/apache_spark/data_stream/executor/_dev/test/system/test-metric-config.yml new file mode 100644 index 00000000000..ff9506a7f16 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/_dev/test/system/test-metric-config.yml @@ -0,0 +1,7 @@ +vars: ~ +data_stream: + vars: + hosts: + - http://apache-spark-main:{{Ports.[2]}} + path: + - /jolokia/?ignoreErrors=true&canonicalNaming=false diff --git a/packages/apache_spark/data_stream/executor/agent/stream/stream.yml.hbs b/packages/apache_spark/data_stream/executor/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..79e64f63848 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/agent/stream/stream.yml.hbs @@ -0,0 +1,269 @@ +metricsets: ["jmx"] +namespace: "metrics" +hosts: +{{#each hosts}} + - {{this}} +{{/each}} +path: {{path}} +period: {{period}} +jmx.mappings: + - mbean: 'metrics:name=*.*.executor.bytesRead,type=counters' + attributes: + - attr: Count + field: executor.bytes.read + - mbean: 'metrics:name=*.*.executor.bytesWritten,type=counters' + attributes: + - attr: Count + field: executor.bytes.written + - mbean: 'metrics:name=*.*.ExecutorMetrics.DirectPoolMemory,type=gauges' + attributes: + - attr: Value + field: executor.memory.direct_pool + - mbean: 'metrics:name=*.*.executor.diskBytesSpilled,type=counters' + attributes: + - attr: Count + field: executor.disk_bytes_spilled + - mbean: 'metrics:name=*.*.HiveExternalCatalog.fileCacheHits,type=counters' + attributes: + - attr: Count + field: executor.file_cache_hits + - mbean: 'metrics:name=*.*.HiveExternalCatalog.filesDiscovered,type=counters' + attributes: + - attr: Count + field: executor.files_discovered + - mbean: 'metrics:name=*.*.executor.filesystem.file.largeRead_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.file.large_read_ops + - mbean: 'metrics:name=*.*.executor.filesystem.file.read_bytes,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.file.read_bytes + - mbean: 'metrics:name=*.*.executor.filesystem.file.read_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.file.read_ops + - mbean: 'metrics:name=*.*.executor.filesystem.file.write_bytes,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.file.write_bytes + - mbean: 'metrics:name=*.*.executor.filesystem.file.write_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.file.write_ops + - mbean: 'metrics:name=*.*.executor.filesystem.hdfs.largeRead_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.hdfs.large_read_ops + - mbean: 'metrics:name=*.*.executor.filesystem.hdfs.read_bytes,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.hdfs.read_bytes + - mbean: 'metrics:name=*.*.executor.filesystem.hdfs.read_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.hdfs.read_ops + - mbean: 'metrics:name=*.*.executor.filesystem.hdfs.write_bytes,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.hdfs.write_bytes + - mbean: 'metrics:name=*.*.executor.filesystem.hdfs.write_ops,type=gauges' + attributes: + - attr: Value + field: executor.filesystem.hdfs.write_ops + - mbean: 'metrics:name=*.*.HiveExternalCatalog.hiveClientCalls,type=counters' + attributes: + - attr: Count + field: executor.hive_client_calls + - mbean: 'metrics:name=*.*.JVMCPU.jvmCpuTime,type=gauges' + attributes: + - attr: Value + field: executor.jvm.cpu_time + - mbean: 'metrics:name=*.*.executor.jvmGCTime,type=counters' + attributes: + - attr: Count + field: executor.jvm.gc_time + - mbean: 'metrics:name=*.*.ExecutorMetrics.JVMHeapMemory,type=gauges' + attributes: + - attr: Value + field: executor.memory.jvm.heap + - mbean: 'metrics:name=*.*.ExecutorMetrics.JVMOffHeapMemory,type=gauges' + attributes: + - attr: Value + field: executor.memory.jvm.off_heap + - mbean: 'metrics:name=*.*.ExecutorMetrics.MajorGCCount,type=gauges' + attributes: + - attr: Value + field: executor.gc.major.count + - mbean: 'metrics:name=*.*.ExecutorMetrics.MajorGCTime,type=gauges' + attributes: + - attr: Value + field: executor.gc.major.time + - mbean: 'metrics:name=*.*.ExecutorMetrics.MappedPoolMemory,type=gauges' + attributes: + - attr: Value + field: executor.memory.mapped_pool + - mbean: 'metrics:name=*.*.executor.memoryBytesSpilled,type=counters' + attributes: + - attr: Count + field: executor.memory_bytes_spilled + - mbean: 'metrics:name=*.*.ExecutorMetrics.MinorGCCount,type=gauges' + attributes: + - attr: Value + field: executor.gc.minor.count + - mbean: 'metrics:name=*.*.ExecutorMetrics.MinorGCTime,type=gauges' + attributes: + - attr: Value + field: executor.gc.minor.time + - mbean: 'metrics:name=*.*.ExecutorMetrics.OffHeapExecutionMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.off.execution + - mbean: 'metrics:name=*.*.ExecutorMetrics.OffHeapStorageMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.off.storage + - mbean: 'metrics:name=*.*.ExecutorMetrics.OffHeapUnifiedMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.off.unified + - mbean: 'metrics:name=*.*.ExecutorMetrics.OnHeapExecutionMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.on.execution + - mbean: 'metrics:name=*.*.ExecutorMetrics.OnHeapStorageMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.on.storage + - mbean: 'metrics:name=*.*.ExecutorMetrics.OnHeapUnifiedMemory,type=gauges' + attributes: + - attr: Value + field: executor.heap_memory.on.unified + - mbean: 'metrics:name=*.*.HiveExternalCatalog.parallelListingJobCount,type=counters' + attributes: + - attr: Count + field: executor.parallel_listing_job_count + - mbean: 'metrics:name=*.*.HiveExternalCatalog.partitionsFetched,type=counters' + attributes: + - attr: Count + field: executor.partitions_fetched + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreeJVMRSSMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.jvm.rss_memory + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreeJVMVMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.jvm.v_memory + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreeOtherRSSMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.other.rss_memory + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreeOtherVMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.other.v_memory + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreePythonRSSMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.python.rss_memory + - mbean: 'metrics:name=*.*.ExecutorMetrics.ProcessTreePythonVMemory,type=gauges' + attributes: + - attr: Value + field: executor.process_tree.python.v_memory + - mbean: 'metrics:name=*.*.executor.recordsRead,type=counters' + attributes: + - attr: Count + field: executor.records.read + - mbean: 'metrics:name=*.*.executor.recordsWritten,type=counters' + attributes: + - attr: Count + field: executor.records.written + - mbean: 'metrics:name=*.*.executor.resultSerializationTime,type=counters' + attributes: + - attr: Count + field: executor.result.serialization_time + - mbean: 'metrics:name=*.*.executor.resultSize,type=counters' + attributes: + - attr: Count + field: executor.result.size + - mbean: 'metrics:name=*.*.executor.runTime,type=counters' + attributes: + - attr: Count + field: executor.run_time + - mbean: 'metrics:name=*.*.ExternalShuffle.shuffle-client.usedDirectMemory,type=gauges' + attributes: + - attr: Value + field: executor.shuffle.client.used.direct_memory + - mbean: 'metrics:name=*.*.ExternalShuffle.shuffle-client.usedHeapMemory,type=gauges' + attributes: + - attr: Value + field: executor.shuffle.client.used.heap_memory + - mbean: 'metrics:name=*.*.executor.shuffleBytesWritten,type=counters' + attributes: + - attr: Count + field: executor.shuffle.bytes_written + - mbean: 'metrics:name=*.*.executor.shuffleFetchWaitTime,type=counters' + attributes: + - attr: Count + field: executor.shuffle.fetch_wait_time + - mbean: 'metrics:name=*.*.executor.shuffleLocalBlocksFetched,type=counters' + attributes: + - attr: Count + field: executor.shuffle.local.blocks_fetched + - mbean: 'metrics:name=*.*.executor.shuffleLocalBytesRead,type=counters' + attributes: + - attr: Count + field: executor.shuffle.local.bytes_read + - mbean: 'metrics:name=*.*.executor.shuffleRecordsRead,type=counters' + attributes: + - attr: Count + field: executor.shuffle.records.read + - mbean: 'metrics:name=*.*.executor.shuffleRecordsWritten,type=counters' + attributes: + - attr: Count + field: executor.shuffle.records.written + - mbean: 'metrics:name=*.*.executor.shuffleRemoteBlocksFetched,type=counters' + attributes: + - attr: Count + field: executor.shuffle.remote.blocks_fetched + - mbean: 'metrics:name=*.*.executor.shuffleRemoteBytesRead,type=counters' + attributes: + - attr: Count + field: executor.shuffle.remote.bytes_read + - mbean: 'metrics:name=*.*.executor.shuffleRemoteBytesReadToDisk,type=counters' + attributes: + - attr: Count + field: executor.shuffle.remote.bytes_read_to_disk + - mbean: 'metrics:name=*.*.executor.shuffleTotalBytesRead,type=counters' + attributes: + - attr: Count + field: executor.shuffle.total.bytes_read + - mbean: 'metrics:name=*.*.executor.shuffleWriteTime,type=counters' + attributes: + - attr: Count + field: executor.shuffle.write.time + - mbean: 'metrics:name=*.*.executor.succeededTasks,type=counters' + attributes: + - attr: Count + field: executor.succeeded_tasks + - mbean: 'metrics:name=*.*.executor.threadpool.activeTasks,type=gauges' + attributes: + - attr: Value + field: executor.threadpool.active_tasks + - mbean: 'metrics:name=*.*.executor.threadpool.completeTasks,type=gauges' + attributes: + - attr: Value + field: executor.threadpool.complete_tasks + - mbean: 'metrics:name=*.*.executor.threadpool.currentPool_size,type=gauges' + attributes: + - attr: Value + field: executor.threadpool.current_pool_size + - mbean: 'metrics:name=*.*.executor.threadpool.maxPool_size,type=gauges' + attributes: + - attr: Value + field: executor.threadpool.max_pool_size + - mbean: 'metrics:name=*.*.executor.threadpool.startedTasks,type=gauges' + attributes: + - attr: Value + field: executor.threadpool.started_tasks \ No newline at end of file diff --git a/packages/apache_spark/data_stream/executor/elasticsearch/ingest_pipeline/default.yml b/packages/apache_spark/data_stream/executor/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..364a4dbf446 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,44 @@ +--- +description: Pipeline for parsing Apache Spark executor metrics. +processors: + - set: + field: ecs.version + value: '8.1.0' + - rename: + field: jolokia.metrics + target_field: apache_spark + ignore_missing: true + - set: + field: event.type + value: info + - set: + field: event.kind + value: metric + - set: + field: event.module + value: apache_spark + - script: + lang: painless + description: This script will add the name of application under key 'driver/executor.application_name' and executor id under 'apache_spark.executor.id' + if: ctx?.apache_spark?.mbean?.contains("name=worker.") == false && + ctx?.apache_spark?.mbean?.contains("name=worker.") == false && + ctx?.apache_spark?.mbean?.contains("name=application.") == false + source: >- + def bean_name = ctx.apache_spark.mbean.toString().splitOnToken("=")[1]; + def app_name = bean_name.splitOnToken(".")[0]; + def executor_id = bean_name.splitOnToken(".")[1]; + if (executor_id == "driver") { + ctx.apache_spark.driver.application_name = app_name; + } else { + ctx.apache_spark.executor.application_name = app_name; + ctx.apache_spark.executor.id = executor_id; + } + - remove: + field: + - apache_spark.mbean + - jolokia + ignore_failure: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/apache_spark/data_stream/executor/fields/base-fields.yml b/packages/apache_spark/data_stream/executor/fields/base-fields.yml new file mode 100644 index 00000000000..e36d466bdd1 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/apache_spark/data_stream/executor/fields/ecs.yml b/packages/apache_spark/data_stream/executor/fields/ecs.yml new file mode 100644 index 00000000000..ded177ab1a7 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/fields/ecs.yml @@ -0,0 +1,12 @@ +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: ecs.version +- external: ecs + name: tags +- external: ecs + name: service.address +- external: ecs + name: service.type diff --git a/packages/apache_spark/data_stream/executor/fields/fields.yml b/packages/apache_spark/data_stream/executor/fields/fields.yml new file mode 100644 index 00000000000..d8071ed598e --- /dev/null +++ b/packages/apache_spark/data_stream/executor/fields/fields.yml @@ -0,0 +1,301 @@ +- name: apache_spark + type: group + fields: + - name: executor + type: group + fields: + - name: application_name + type: keyword + description: Name of application. + - name: id + type: keyword + description: ID of executor. + - name: bytes + type: group + fields: + - name: read + type: long + description: Total number of bytes read. + - name: written + type: long + description: Total number of bytes written. + - name: memory + type: group + fields: + - name: direct_pool + type: long + description: Peak memory that the JVM is using for direct buffer pool. + - name: jvm + type: group + fields: + - name: heap + type: long + description: Peak memory usage of the heap that is used for object allocation. + - name: off_heap + type: long + description: Peak memory usage of non-heap memory that is used by the Java virtual machine. + - name: mapped_pool + type: long + description: Peak memory that the JVM is using for mapped buffer pool + - name: gc + type: group + fields: + - name: major + type: group + fields: + - name: count + type: long + description: Total major GC count. For example, the garbage collector is one of MarkSweepCompact, PS MarkSweep, ConcurrentMarkSweep, G1 Old Generation and so on. + - name: time + type: long + description: Elapsed total major GC time. The value is expressed in milliseconds. + - name: minor + type: group + fields: + - name: count + type: long + description: Total minor GC count. For example, the garbage collector is one of Copy, PS Scavenge, ParNew, G1 Young Generation and so on. + - name: time + type: long + description: Elapsed total minor GC time. The value is expressed in milliseconds. + - name: heap_memory + type: group + fields: + - name: off + type: group + fields: + - name: execution + type: long + description: Peak off heap execution memory in use, in bytes. + - name: storage + type: long + description: Peak off heap storage memory in use, in bytes. + - name: unified + type: long + description: Peak off heap memory (execution and storage). + - name: on + type: group + fields: + - name: execution + type: long + description: Peak on heap execution memory in use, in bytes. + - name: storage + type: long + description: Peak on heap storage memory in use, in bytes. + - name: unified + type: long + description: Peak on heap memory (execution and storage). + - name: disk_bytes_spilled + type: long + description: Total number of disk bytes spilled. + - name: file_cache_hits + type: long + description: Total number of file cache hits. + - name: files_discovered + type: long + description: Total number of files discovered. + - name: filesystem + type: group + fields: + - name: file + type: group + fields: + - name: large_read_ops + type: long + description: Total number of large read operations from the files. + - name: read_bytes + type: long + description: Total number of bytes read from the files. + - name: read_ops + type: long + description: Total number of read operations from the files. + - name: write_bytes + type: long + description: Total number of bytes written from the files. + - name: write_ops + type: long + description: Total number of write operations from the files. + - name: hdfs + type: group + fields: + - name: large_read_ops + type: long + description: Total number of large read operations from HDFS. + - name: read_bytes + type: long + description: Total number of read bytes from HDFS. + - name: read_ops + type: long + description: Total number of read operations from HDFS. + - name: write_bytes + type: long + description: Total number of write bytes from HDFS. + - name: write_ops + type: long + description: Total number of write operations from HDFS. + - name: generated_class_size + type: long + description: Size of the class generated. + - name: generated_method_size + type: long + description: Size of the method generated. + - name: hive_client_calls + type: long + description: Total number of Hive Client calls. + - name: jvm + type: group + fields: + - name: cpu_time + type: long + description: Elapsed CPU time the JVM spent. + - name: gc_time + type: long + description: Elapsed time the JVM spent in garbage collection while executing this task. + - name: memory_bytes_spilled + type: long + description: The number of in-memory bytes spilled by this task. + - name: parallel_listing_job_count + type: long + description: Number of jobs running parallely. + - name: partitions_fetched + type: long + description: Number of partitions fetched. + - name: process_tree + type: group + fields: + - name: jvm + type: group + fields: + - name: rss_memory + type: long + description: >- + Resident Set Size: number of pages the process has in real memory. This is just the pages which count toward text, data, or stack space. This does not include pages which have not been demand-loaded in, or which are swapped out. + - name: v_memory + type: long + description: Virtual memory size in bytes. + - name: other + type: group + fields: + - name: rss_memory + type: long + description: Resident Set Size for other kind of process. + - name: v_memory + type: long + description: Virtual memory size for other kind of process in bytes. + - name: python + type: group + fields: + - name: rss_memory + type: long + description: Resident Set Size for Python. + - name: v_memory + type: long + description: Virtual memory size for Python in bytes. + - name: records + type: group + fields: + - name: read + type: long + description: Total number of records read. + - name: written + type: long + description: Total number of records written. + - name: result + type: group + fields: + - name: size + type: long + description: The number of bytes this task transmitted back to the driver as the TaskResult. + - name: serialization_time + type: long + description: Elapsed time spent serializing the task result. The value is expressed in milliseconds. + - name: run_time + type: long + description: Elapsed time in the running this task + - name: shuffle + type: group + fields: + - name: client.used + type: group + fields: + - name: direct_memory + type: long + description: Amount of direct memory used by the shuffle client. + - name: heap_memory + type: long + description: Amount of heap memory used by the shuffle client. + - name: server.used + type: group + fields: + - name: direct_memory + type: long + description: Amount of direct memory used by the shuffle server. + - name: heap_memory + type: long + description: Amount of heap memory used by the shuffle server. + - name: bytes_written + type: long + description: Number of bytes written in shuffle operations. + - name: fetch_wait_time + type: long + description: Time the task spent waiting for remote shuffle blocks. + - name: local + type: group + fields: + - name: blocks_fetched + type: long + description: Number of local (as opposed to read from a remote executor) blocks fetched in shuffle operations. + - name: bytes_read + type: long + description: Number of bytes read in shuffle operations from local disk (as opposed to read from a remote executor). + - name: records + type: group + fields: + - name: read + type: long + description: Number of records read in shuffle operations. + - name: written + type: long + description: Number of records written in shuffle operations. + - name: remote + type: group + fields: + - name: blocks_fetched + type: long + description: Number of remote blocks fetched in shuffle operations. + - name: bytes_read + type: long + description: Number of remote bytes read in shuffle operations. + - name: bytes_read_to_disk + type: long + description: Number of remote bytes read to disk in shuffle operations. Large blocks are fetched to disk in shuffle read operations, as opposed to being read into memory, which is the default behavior. + - name: total.bytes_read + type: long + description: Number of bytes read in shuffle operations (both local and remote) + - name: write.time + type: long + description: Time spent blocking on writes to disk or buffer cache. The value is expressed in nanoseconds. + - name: source_code_size + type: long + description: The total size of the source code. + - name: succeeded_tasks + type: long + description: The number of tasks succeeded. + - name: threadpool + type: group + fields: + - name: active_tasks + type: long + description: Number of tasks currently executing. + - name: complete_tasks + type: long + description: Number of tasks that have completed in this executor. + - name: current_pool_size + type: long + description: The size of the current thread pool of the executor. + - name: max_pool_size + type: long + description: The maximum size of the thread pool of the executor. + - name: started_tasks + type: long + description: The number of tasks started in the thread pool of the executor. diff --git a/packages/apache_spark/data_stream/executor/manifest.yml b/packages/apache_spark/data_stream/executor/manifest.yml new file mode 100644 index 00000000000..df27e364b70 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/manifest.yml @@ -0,0 +1,30 @@ +title: Apache Spark executor metrics +type: metrics +streams: + - input: jolokia/metrics + title: Apache Spark executor metrics + description: Collect Apache Spark executor metrics using Jolokia agent. + vars: + - name: hosts + type: text + title: Hosts + multi: true + description: | + Full hosts for the Jolokia for Apache Spark (https://spark_main:jolokia_port). + required: true + show_user: true + - name: path + type: text + title: Path + multi: false + required: true + show_user: false + default: /jolokia/?ignoreErrors=true&canonicalNaming=false + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 60s + template_path: "stream.yml.hbs" diff --git a/packages/apache_spark/data_stream/executor/sample_event.json b/packages/apache_spark/data_stream/executor/sample_event.json new file mode 100644 index 00000000000..3340376f325 --- /dev/null +++ b/packages/apache_spark/data_stream/executor/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2022-04-11T08:29:56.056Z", + "agent": { + "ephemeral_id": "c7d892ac-3b23-471c-80e4-041490eaab8d", + "id": "c5e2a51e-e10a-4561-9861-75b38aa09f4b", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "executor": { + "application_name": "app-20220411082945-0000", + "gc": { + "major": { + "count": 0 + } + }, + "id": "0" + } + }, + "data_stream": { + "dataset": "apache_spark.executor", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "c5e2a51e-e10a-4561-9861-75b38aa09f4b", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.executor", + "duration": 32964497, + "ingested": "2022-04-11T08:29:59Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.7" + ], + "mac": [ + "02:42:ac:17:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-107-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7780/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} \ No newline at end of file diff --git a/packages/apache_spark/docs/README.md b/packages/apache_spark/docs/README.md index a7ef644afa4..42910979066 100644 --- a/packages/apache_spark/docs/README.md +++ b/packages/apache_spark/docs/README.md @@ -1,4 +1,4 @@ -# Apache Spark +# Apache Spark Integration The Apache Spark integration collects and parses data using the Jolokia Metricbeat Module. @@ -63,6 +63,442 @@ Follow the same set of steps for Spark Worker, Driver and Executor. ## Metrics +### Application + +This is the `application` data stream. + +An example event for `application` looks as following: + +```json +{ + "@timestamp": "2022-04-11T09:45:08.887Z", + "agent": { + "ephemeral_id": "fd3ce7d1-e237-45c7-88f9-875edafec41e", + "id": "e7990c69-6909-48d1-be06-89dbe36d302c", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "application": { + "name": "PythonWordCount.1649670292906", + "runtime": { + "ms": 16007 + } + } + }, + "data_stream": { + "dataset": "apache_spark.application", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "e7990c69-6909-48d1-be06-89dbe36d302c", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.application", + "duration": 21401735, + "ingested": "2022-04-11T09:45:12Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.0.5" + ], + "mac": [ + "02:42:c0:a8:00:05" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-107-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7777/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| apache_spark.application.cores | Number of cores. | long | +| apache_spark.application.name | Name of the application. | keyword | +| apache_spark.application.runtime.ms | Time taken to run the application (ms). | long | +| apache_spark.application.status | Current status of the application. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| tags | List of keywords used to tag each event. | keyword | + + +### Driver + +This is the `driver` data stream. + +An example event for `driver` looks as following: + +```json +{ + "@timestamp": "2022-04-06T09:28:29.830Z", + "agent": { + "ephemeral_id": "0136f072-d8da-429f-92f9-310435dbeb07", + "id": "b92a6ed6-a92c-4064-9b78-b3b21cab191c", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "driver": { + "application_name": "app-20220406092805-0000", + "executor_metrics": { + "memory": { + "jvm": { + "heap": 288770488 + } + } + } + } + }, + "data_stream": { + "dataset": "apache_spark.driver", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "b92a6ed6-a92c-4064-9b78-b3b21cab191c", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.driver", + "duration": 51414715, + "ingested": "2022-04-06T09:28:33Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.80.7" + ], + "mac": [ + "02:42:c0:a8:50:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-100-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7779/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| apache_spark.driver.application_name | Name of the application. | keyword | +| apache_spark.driver.dag_scheduler.job.active | Number of active jobs. | long | +| apache_spark.driver.dag_scheduler.job.all | Total number of jobs. | long | +| apache_spark.driver.dag_scheduler.stages.failed | Number of failed stages. | long | +| apache_spark.driver.dag_scheduler.stages.running | Number of running stages. | long | +| apache_spark.driver.dag_scheduler.stages.waiting | Number of waiting stages | long | +| apache_spark.driver.disk.space_used | Amount of the disk space utilized in MB. | long | +| apache_spark.driver.executor_metrics.gc.major.count | Total major GC count. For example, the garbage collector is one of MarkSweepCompact, PS MarkSweep, ConcurrentMarkSweep, G1 Old Generation and so on. | long | +| apache_spark.driver.executor_metrics.gc.major.time | Elapsed total major GC time. The value is expressed in milliseconds. | long | +| apache_spark.driver.executor_metrics.gc.minor.count | Total minor GC count. For example, the garbage collector is one of Copy, PS Scavenge, ParNew, G1 Young Generation and so on. | long | +| apache_spark.driver.executor_metrics.gc.minor.time | Elapsed total minor GC time. The value is expressed in milliseconds. | long | +| apache_spark.driver.executor_metrics.heap_memory.off.execution | Peak off heap execution memory in use, in bytes. | long | +| apache_spark.driver.executor_metrics.heap_memory.off.storage | Peak off heap storage memory in use, in bytes. | long | +| apache_spark.driver.executor_metrics.heap_memory.off.unified | Peak off heap memory (execution and storage). | long | +| apache_spark.driver.executor_metrics.heap_memory.on.execution | Peak on heap execution memory in use, in bytes. | long | +| apache_spark.driver.executor_metrics.heap_memory.on.storage | Peak on heap storage memory in use, in bytes. | long | +| apache_spark.driver.executor_metrics.heap_memory.on.unified | Peak on heap memory (execution and storage). | long | +| apache_spark.driver.executor_metrics.memory.direct_pool | Peak memory that the JVM is using for direct buffer pool. | long | +| apache_spark.driver.executor_metrics.memory.jvm.heap | Peak memory usage of the heap that is used for object allocation. | long | +| apache_spark.driver.executor_metrics.memory.jvm.off_heap | Peak memory usage of non-heap memory that is used by the Java virtual machine. | long | +| apache_spark.driver.executor_metrics.memory.mapped_pool | Peak memory that the JVM is using for mapped buffer pool | long | +| apache_spark.driver.executor_metrics.process_tree.jvm.rss_memory | Resident Set Size: number of pages the process has in real memory. This is just the pages which count toward text, data, or stack space. This does not include pages which have not been demand-loaded in, or which are swapped out. | long | +| apache_spark.driver.executor_metrics.process_tree.jvm.v_memory | Virtual memory size in bytes. | long | +| apache_spark.driver.executor_metrics.process_tree.other.rss_memory | | long | +| apache_spark.driver.executor_metrics.process_tree.other.v_memory | | long | +| apache_spark.driver.executor_metrics.process_tree.python.rss_memory | | long | +| apache_spark.driver.executor_metrics.process_tree.python.v_memory | | long | +| apache_spark.driver.executors.all | Total number of executors. | long | +| apache_spark.driver.executors.decommission_unfinished | Total number of decommissioned unfinished executors. | long | +| apache_spark.driver.executors.exited_unexpectedly | Total number of executors exited unexpectedly. | long | +| apache_spark.driver.executors.gracefully_decommissioned | Total number of executors gracefully decommissioned. | long | +| apache_spark.driver.executors.killed_by_driver | Total number of executors killed by driver. | long | +| apache_spark.driver.executors.max_needed | Maximum number of executors needed. | long | +| apache_spark.driver.executors.pending_to_remove | Total number of executors pending to be removed. | long | +| apache_spark.driver.executors.target | Total number of target executors. | long | +| apache_spark.driver.executors.to_add | Total number of executors to be added. | long | +| apache_spark.driver.hive_external_catalog.file_cache_hits | Total number of file cache hits. | long | +| apache_spark.driver.hive_external_catalog.files_discovered | Total number of files discovered. | long | +| apache_spark.driver.hive_external_catalog.hive_client_calls | Total number of Hive Client calls. | long | +| apache_spark.driver.hive_external_catalog.parallel_listing_job.count | Number of jobs running parallely. | long | +| apache_spark.driver.hive_external_catalog.partitions_fetched | Number of partitions fetched. | long | +| apache_spark.driver.job_duration | Duration of the job. | long | +| apache_spark.driver.jobs.failed | Number of failed jobs. | long | +| apache_spark.driver.jobs.succeeded | Number of successful jobs. | long | +| apache_spark.driver.jvm.cpu.time | Elapsed CPU time the JVM spent. | long | +| apache_spark.driver.memory.max_mem | Maximum amount of memory available for storage, in MB. | long | +| apache_spark.driver.memory.off_heap.max | Maximum amount of off heap memory available, in MB. | long | +| apache_spark.driver.memory.off_heap.remaining | Remaining amount of off heap memory, in MB. | long | +| apache_spark.driver.memory.off_heap.used | Total amount of off heap memory used, in MB. | long | +| apache_spark.driver.memory.on_heap.max | Maximum amount of on heap memory available, in MB. | long | +| apache_spark.driver.memory.on_heap.remaining | Remaining amount of on heap memory, in MB. | long | +| apache_spark.driver.memory.on_heap.used | Total amount of on heap memory used, in MB. | long | +| apache_spark.driver.memory.remaining | Remaining amount of storage memory, in MB. | long | +| apache_spark.driver.memory.used | Total amount of memory used for storage, in MB. | long | +| apache_spark.driver.spark.streaming.event_time.watermark | | long | +| apache_spark.driver.spark.streaming.input_rate.total | Total rate of the input. | double | +| apache_spark.driver.spark.streaming.latency | | long | +| apache_spark.driver.spark.streaming.processing_rate.total | Total rate of processing. | double | +| apache_spark.driver.spark.streaming.states.rows.total | Total number of rows. | long | +| apache_spark.driver.spark.streaming.states.used_bytes | Total number of bytes utilized. | long | +| apache_spark.driver.stages.completed_count | Total number of completed stages. | long | +| apache_spark.driver.stages.failed_count | Total number of failed stages. | long | +| apache_spark.driver.stages.skipped_count | Total number of skipped stages. | long | +| apache_spark.driver.tasks.completed | Number of completed tasks. | long | +| apache_spark.driver.tasks.executors.black_listed | Number of blacklisted executors for the tasks. | long | +| apache_spark.driver.tasks.executors.excluded | Number of excluded executors for the tasks. | long | +| apache_spark.driver.tasks.executors.unblack_listed | Number of unblacklisted executors for the tasks. | long | +| apache_spark.driver.tasks.executors.unexcluded | Number of unexcluded executors for the tasks. | long | +| apache_spark.driver.tasks.failed | Number of failed tasks. | long | +| apache_spark.driver.tasks.killed | Number of killed tasks. | long | +| apache_spark.driver.tasks.skipped | Number of skipped tasks. | long | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| tags | List of keywords used to tag each event. | keyword | + + +### Executor + +This is the `executor` data stream. + +An example event for `executor` looks as following: + +```json +{ + "@timestamp": "2022-04-11T08:29:56.056Z", + "agent": { + "ephemeral_id": "c7d892ac-3b23-471c-80e4-041490eaab8d", + "id": "c5e2a51e-e10a-4561-9861-75b38aa09f4b", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "apache_spark": { + "executor": { + "application_name": "app-20220411082945-0000", + "gc": { + "major": { + "count": 0 + } + }, + "id": "0" + } + }, + "data_stream": { + "dataset": "apache_spark.executor", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "c5e2a51e-e10a-4561-9861-75b38aa09f4b", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "apache_spark.executor", + "duration": 32964497, + "ingested": "2022-04-11T08:29:59Z", + "kind": "metric", + "module": "apache_spark", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.7" + ], + "mac": [ + "02:42:ac:17:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.4.0-107-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://apache-spark-main:7780/jolokia/%3FignoreErrors=true\u0026canonicalNaming=false", + "type": "jolokia" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| apache_spark.executor.application_name | Name of application. | keyword | +| apache_spark.executor.bytes.read | Total number of bytes read. | long | +| apache_spark.executor.bytes.written | Total number of bytes written. | long | +| apache_spark.executor.disk_bytes_spilled | Total number of disk bytes spilled. | long | +| apache_spark.executor.file_cache_hits | Total number of file cache hits. | long | +| apache_spark.executor.files_discovered | Total number of files discovered. | long | +| apache_spark.executor.filesystem.file.large_read_ops | Total number of large read operations from the files. | long | +| apache_spark.executor.filesystem.file.read_bytes | Total number of bytes read from the files. | long | +| apache_spark.executor.filesystem.file.read_ops | Total number of read operations from the files. | long | +| apache_spark.executor.filesystem.file.write_bytes | Total number of bytes written from the files. | long | +| apache_spark.executor.filesystem.file.write_ops | Total number of write operations from the files. | long | +| apache_spark.executor.filesystem.hdfs.large_read_ops | Total number of large read operations from HDFS. | long | +| apache_spark.executor.filesystem.hdfs.read_bytes | Total number of read bytes from HDFS. | long | +| apache_spark.executor.filesystem.hdfs.read_ops | Total number of read operations from HDFS. | long | +| apache_spark.executor.filesystem.hdfs.write_bytes | Total number of write bytes from HDFS. | long | +| apache_spark.executor.filesystem.hdfs.write_ops | Total number of write operations from HDFS. | long | +| apache_spark.executor.gc.major.count | Total major GC count. For example, the garbage collector is one of MarkSweepCompact, PS MarkSweep, ConcurrentMarkSweep, G1 Old Generation and so on. | long | +| apache_spark.executor.gc.major.time | Elapsed total major GC time. The value is expressed in milliseconds. | long | +| apache_spark.executor.gc.minor.count | Total minor GC count. For example, the garbage collector is one of Copy, PS Scavenge, ParNew, G1 Young Generation and so on. | long | +| apache_spark.executor.gc.minor.time | Elapsed total minor GC time. The value is expressed in milliseconds. | long | +| apache_spark.executor.generated_class_size | Size of the class generated. | long | +| apache_spark.executor.generated_method_size | Size of the method generated. | long | +| apache_spark.executor.heap_memory.off.execution | Peak off heap execution memory in use, in bytes. | long | +| apache_spark.executor.heap_memory.off.storage | Peak off heap storage memory in use, in bytes. | long | +| apache_spark.executor.heap_memory.off.unified | Peak off heap memory (execution and storage). | long | +| apache_spark.executor.heap_memory.on.execution | Peak on heap execution memory in use, in bytes. | long | +| apache_spark.executor.heap_memory.on.storage | Peak on heap storage memory in use, in bytes. | long | +| apache_spark.executor.heap_memory.on.unified | Peak on heap memory (execution and storage). | long | +| apache_spark.executor.hive_client_calls | Total number of Hive Client calls. | long | +| apache_spark.executor.id | ID of executor. | keyword | +| apache_spark.executor.jvm.cpu_time | Elapsed CPU time the JVM spent. | long | +| apache_spark.executor.jvm.gc_time | Elapsed time the JVM spent in garbage collection while executing this task. | long | +| apache_spark.executor.memory.direct_pool | Peak memory that the JVM is using for direct buffer pool. | long | +| apache_spark.executor.memory.jvm.heap | Peak memory usage of the heap that is used for object allocation. | long | +| apache_spark.executor.memory.jvm.off_heap | Peak memory usage of non-heap memory that is used by the Java virtual machine. | long | +| apache_spark.executor.memory.mapped_pool | Peak memory that the JVM is using for mapped buffer pool | long | +| apache_spark.executor.memory_bytes_spilled | The number of in-memory bytes spilled by this task. | long | +| apache_spark.executor.parallel_listing_job_count | Number of jobs running parallely. | long | +| apache_spark.executor.partitions_fetched | Number of partitions fetched. | long | +| apache_spark.executor.process_tree.jvm.rss_memory | Resident Set Size: number of pages the process has in real memory. This is just the pages which count toward text, data, or stack space. This does not include pages which have not been demand-loaded in, or which are swapped out. | long | +| apache_spark.executor.process_tree.jvm.v_memory | Virtual memory size in bytes. | long | +| apache_spark.executor.process_tree.other.rss_memory | Resident Set Size for other kind of process. | long | +| apache_spark.executor.process_tree.other.v_memory | Virtual memory size for other kind of process in bytes. | long | +| apache_spark.executor.process_tree.python.rss_memory | Resident Set Size for Python. | long | +| apache_spark.executor.process_tree.python.v_memory | Virtual memory size for Python in bytes. | long | +| apache_spark.executor.records.read | Total number of records read. | long | +| apache_spark.executor.records.written | Total number of records written. | long | +| apache_spark.executor.result.serialization_time | Elapsed time spent serializing the task result. The value is expressed in milliseconds. | long | +| apache_spark.executor.result.size | The number of bytes this task transmitted back to the driver as the TaskResult. | long | +| apache_spark.executor.run_time | Elapsed time in the running this task | long | +| apache_spark.executor.shuffle.bytes_written | Number of bytes written in shuffle operations. | long | +| apache_spark.executor.shuffle.client.used.direct_memory | Amount of direct memory used by the shuffle client. | long | +| apache_spark.executor.shuffle.client.used.heap_memory | Amount of heap memory used by the shuffle client. | long | +| apache_spark.executor.shuffle.fetch_wait_time | Time the task spent waiting for remote shuffle blocks. | long | +| apache_spark.executor.shuffle.local.blocks_fetched | Number of local (as opposed to read from a remote executor) blocks fetched in shuffle operations. | long | +| apache_spark.executor.shuffle.local.bytes_read | Number of bytes read in shuffle operations from local disk (as opposed to read from a remote executor). | long | +| apache_spark.executor.shuffle.records.read | Number of records read in shuffle operations. | long | +| apache_spark.executor.shuffle.records.written | Number of records written in shuffle operations. | long | +| apache_spark.executor.shuffle.remote.blocks_fetched | Number of remote blocks fetched in shuffle operations. | long | +| apache_spark.executor.shuffle.remote.bytes_read | Number of remote bytes read in shuffle operations. | long | +| apache_spark.executor.shuffle.remote.bytes_read_to_disk | Number of remote bytes read to disk in shuffle operations. Large blocks are fetched to disk in shuffle read operations, as opposed to being read into memory, which is the default behavior. | long | +| apache_spark.executor.shuffle.server.used.direct_memory | Amount of direct memory used by the shuffle server. | long | +| apache_spark.executor.shuffle.server.used.heap_memory | Amount of heap memory used by the shuffle server. | long | +| apache_spark.executor.shuffle.total.bytes_read | Number of bytes read in shuffle operations (both local and remote) | long | +| apache_spark.executor.shuffle.write.time | Time spent blocking on writes to disk or buffer cache. The value is expressed in nanoseconds. | long | +| apache_spark.executor.source_code_size | The total size of the source code. | long | +| apache_spark.executor.succeeded_tasks | The number of tasks succeeded. | long | +| apache_spark.executor.threadpool.active_tasks | Number of tasks currently executing. | long | +| apache_spark.executor.threadpool.complete_tasks | Number of tasks that have completed in this executor. | long | +| apache_spark.executor.threadpool.current_pool_size | The size of the current thread pool of the executor. | long | +| apache_spark.executor.threadpool.max_pool_size | The maximum size of the thread pool of the executor. | long | +| apache_spark.executor.threadpool.started_tasks | The number of tasks started in the thread pool of the executor. | long | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| tags | List of keywords used to tag each event. | keyword | + + ### Nodes This is the `nodes` data stream. diff --git a/packages/awsfargate/changelog.yml b/packages/awsfargate/changelog.yml index 18d1b7469f9..9a85746c8d5 100644 --- a/packages/awsfargate/changelog.yml +++ b/packages/awsfargate/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.1.1 + changes: + - description: Improve description and screenshots + type: enhancement + link: https://github.com/elastic/integrations/pull/3109 - version: 0.1.0 changes: - description: initial release diff --git a/packages/awsfargate/img/awsfargate-integration-overview.png b/packages/awsfargate/img/awsfargate-integration-overview.png new file mode 100644 index 00000000000..90a1f7bf5f3 Binary files /dev/null and b/packages/awsfargate/img/awsfargate-integration-overview.png differ diff --git a/packages/awsfargate/img/metricbeat-awsfargate-overview.png b/packages/awsfargate/img/metricbeat-awsfargate-overview.png deleted file mode 100644 index 0ede6104257..00000000000 Binary files a/packages/awsfargate/img/metricbeat-awsfargate-overview.png and /dev/null differ diff --git a/packages/awsfargate/manifest.yml b/packages/awsfargate/manifest.yml index 040d722b4b5..514057fa480 100644 --- a/packages/awsfargate/manifest.yml +++ b/packages/awsfargate/manifest.yml @@ -1,9 +1,9 @@ format_version: 1.0.0 name: awsfargate title: AWS Fargate -version: 0.1.0 +version: 0.1.1 license: basic -description: AWS Fargate Integration +description: Collects metrics from containers and tasks running on Amazon ECS clusters with Elastic Agent. type: integration categories: - aws @@ -15,8 +15,8 @@ conditions: owner: github: elastic/obs-cloud-monitoring screenshots: - - src: /img/metricbeat-awsfargate-overview.png - title: metricbeat awsfargate overview + - src: /img/awsfargate-integration-overview.png + title: awsfargate integration overview size: 5108x2522 type: image/png icons: @@ -30,5 +30,5 @@ policy_templates: description: Collect metrics from instances running on Amazon ECS clusters inputs: - type: awsfargate/metrics - title: Collect task_stats metrics from ECS - description: Collecting task_stats metrics from AWS Fargate instances running on an Amazon ECS cluster + title: Collects task_stats metrics from ECS + description: Collecting task_stats metrics from AWS Fargate instances running on an Amazon ECS cluster. diff --git a/packages/cis_kubernetes_benchmark/kibana/csp_rule_template/csp_rule_template-41308bcdaaf665761478bb6f0d745a5c.json b/packages/cis_kubernetes_benchmark/kibana/csp_rule_template/csp_rule_template-41308bcdaaf665761478bb6f0d745a5c.json new file mode 100644 index 00000000000..303bd09adc2 --- /dev/null +++ b/packages/cis_kubernetes_benchmark/kibana/csp_rule_template/csp_rule_template-41308bcdaaf665761478bb6f0d745a5c.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "id": "41308bcdaaf665761478bb6f0d745a5c", + "name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)", + "tags": [ + "CIS", + "Kubernetes", + "CIS 1.1.1", + "Master Node Configuration Files" + ], + "description": "Ensure that the API server pod specification file has permissions of `644` or more restrictive.\n", + "rationale": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n", + "default_value": "By default, the `kube-apiserver.yaml` file has permissions of `640`.\n", + "impact": "None\n", + "remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n", + "benchmark": { + "name": "CIS Kubernetes V1.20", + "version": "v1.0.0" + }, + "enabled": true, + "muted": false, + "rego_rule_id": "cis_1_2_2" + }, + "id": "csp_rule_template-41308bcdaaf665761478bb6f0d745a5c", + "type": "csp-rule-template" +} \ No newline at end of file diff --git a/packages/cis_kubernetes_benchmark/manifest.yml b/packages/cis_kubernetes_benchmark/manifest.yml index 91f4f468dd9..3d107754be5 100644 --- a/packages/cis_kubernetes_benchmark/manifest.yml +++ b/packages/cis_kubernetes_benchmark/manifest.yml @@ -1,6 +1,6 @@ format_version: 1.0.0 name: cis_kubernetes_benchmark -title: "CIS Kubernetes Benchmark" +title: "CIS Kubernetes Benchmark - deprecated" version: 0.0.1 license: basic description: "Check Kubernetes cluster compliance with the Kubernetes CIS benchmark." diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 7d19cd40f95..ff5e2a61053 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.2" + changes: + - description: Change visualizations to use event.code instead of cisco.asa.message_id. + type: bugfix + link: https://github.com/elastic/integrations/pull/3146 - version: "2.2.1" changes: - description: Add documentation for multi-fields diff --git a/packages/cisco_asa/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json index 259860e15d7..2eb9a6671b9 100644 --- a/packages/cisco_asa/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json +++ b/packages/cisco_asa/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json @@ -12,7 +12,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "cisco.asa.message_id :*" + "query": "data_stream.dataset:cisco_asa.log" }, "version": true } diff --git a/packages/cisco_asa/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json index bfa6da49fd4..d96062fdd08 100644 --- a/packages/cisco_asa/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json +++ b/packages/cisco_asa/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json @@ -12,7 +12,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "cisco.asa.message_id:* and event.action:\"flow-expiration\"" + "query": "data_stream.dataset:cisco_asa.log and event.action:\"flow-expiration\"" }, "version": true } diff --git a/packages/cisco_asa/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json index dd788d0ca6a..67d1ba8da38 100644 --- a/packages/cisco_asa/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json +++ b/packages/cisco_asa/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json @@ -12,7 +12,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "cisco.asa.message_id:* and event.action:\"firewall-rule\"" + "query": "data_stream.dataset:cisco_asa.log and event.action:\"firewall-rule\"" }, "version": true } diff --git a/packages/cisco_asa/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json index 31977af7058..e43aad55aa9 100644 --- a/packages/cisco_asa/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json +++ b/packages/cisco_asa/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json @@ -30,7 +30,7 @@ "id": "2", "params": { "customLabel": "ID", - "field": "cisco.asa.message_id", + "field": "event.code", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 14556ea0860..afee0560416 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_asa title: Cisco ASA -version: 2.2.1 +version: 2.2.2 license: basic description: Collect logs from Cisco ASA with Elastic Agent. type: integration diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index 8d9ee38cb63..446b0652ded 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.1.6" + changes: + - description: Simplify IP grok patterns. + type: enhancement + link: https://github.com/elastic/integrations/pull/3170 +- version: "1.1.5" + changes: + - description: Fix handling of IP addresses with port numbers. + type: bugfix + link: https://github.com/elastic/integrations/pull/3117 - version: "1.1.4" changes: - description: Fix dashboard issues. diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log index 0e446a74184..3e6e8a71ee6 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log @@ -2,4 +2,12 @@ {"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:21:51.271776+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1627024911,"txid":"fa59a691-9139-43e9-9854-f9e1dbf72af5","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} {"access_device":{"browser":"Chrome","browser_version":"92.0.4515.131","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-08-12T09:14:23.060168+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1628759663,"txid":"861a81e7-1f60-4865-95eb-57d9c43ce073","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} {"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:20:54.700050+00:00","ood_software":null,"reason":"user_marked_fraud","result":"fraud","timestamp":1627024854,"txid":"78e1a910-350b-4226-828b-edb0ac2f2e3c","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} -{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} \ No newline at end of file +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.112:1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"192.168.225.254:4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6#1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6#4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6p1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6p4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6:1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6:4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 port 1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 port 4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6.1234","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6.4321","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index dc350dbbf4e..e1d61a4cc33 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -583,6 +583,828 @@ }, "version": "92.0.4515.107" } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "89.160.20.112", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "ip": "192.168.225.254", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.112:1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"192.168.225.254:4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "89.160.20.112", + "192.168.225.254" + ] + }, + "source": { + "address": "89.160.20.112:1234", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + } + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345" + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6#1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6#4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6#1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6p1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6p4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6p1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6:1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6:4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6:1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 port 1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 port 4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 port 1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } + }, + { + "@timestamp": "2021-07-23T07:19:34.000Z", + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "port": 1234 + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Duo Access Gateway Launcher" + }, + "auth_device": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "+91 12345 12345", + "port": 4321 + }, + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_mistake", + "result": "denied", + "txid": "e22120cd-7388-424f-aa0a-b60cad42d8f3" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "authentication", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6.1234\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6.4321\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "outcome": "failed", + "reason": "user_mistake", + "type": "info" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6.1234", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 1234, + "user": { + "group": { + "name": [ + "AD Sync" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "92.0.4515.107" + } } ] } \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-common-config.yml b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-common-config.yml +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index 7aa4a99edee..130c2954e85 100644 --- a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -45,13 +45,58 @@ processors: copy_from: json.reason ignore_failure: true - set: - field: source.ip + field: source.address copy_from: json.access_device.ip + - grok: + field: json.access_device.ip + patterns: + - "^%{IPV4:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^\\[%{IPV6:json.access_device.ip}\\]:%{PORT:json.access_device.port}$" + - "^%{IPV6NOCOMPRESS:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^%{IPV6:json.access_device.ip}%{IPV6PORTSEP}%{PORT:json.access_device.port}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + ignore_missing: true ignore_failure: true + - convert: + field: json.access_device.ip + type: ip + ignore_missing: true + - convert: + field: json.access_device.port + type: long + ignore_missing: true - set: - field: source.address + field: source.ip copy_from: json.access_device.ip ignore_failure: true + - set: + field: source.port + copy_from: json.access_device.port + ignore_failure: true + - grok: + field: json.auth_device.ip + patterns: + - "^%{IPV4:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^\\[%{IPV6:json.auth_device.ip}\\]:%{PORT:json.auth_device.port}$" + - "^%{IPV6NOCOMPRESS:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^%{IPV6:json.auth_device.ip}%{IPV6PORTSEP}%{PORT:json.auth_device.port}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + ignore_missing: true + ignore_failure: true + - convert: + field: json.auth_device.ip + type: ip + ignore_missing: true + - convert: + field: json.auth_device.port + type: long + ignore_missing: true - set: field: source.address copy_from: json.access_device.hostname @@ -184,6 +229,10 @@ processors: field: json.access_device.ip target_field: cisco_duo.auth.access_device.ip ignore_missing: true + - rename: + field: json.access_device.port + target_field: cisco_duo.auth.access_device.port + ignore_missing: true - rename: field: json.access_device.is_encryption_enabled target_field: cisco_duo.auth.access_device.is_encryption_enabled @@ -240,6 +289,10 @@ processors: field: json.auth_device.ip target_field: cisco_duo.auth.auth_device.ip ignore_missing: true + - rename: + field: json.auth_device.port + target_field: cisco_duo.auth.auth_device.port + ignore_missing: true - rename: field: json.auth_device.location.city target_field: cisco_duo.auth.auth_device.location.city diff --git a/packages/cisco_duo/data_stream/auth/fields/ecs.yml b/packages/cisco_duo/data_stream/auth/fields/ecs.yml index 0472838691a..c5b4991d883 100644 --- a/packages/cisco_duo/data_stream/auth/fields/ecs.yml +++ b/packages/cisco_duo/data_stream/auth/fields/ecs.yml @@ -20,6 +20,8 @@ name: related.ip - external: ecs name: source.ip +- external: ecs + name: source.port - external: ecs name: source.address - external: ecs diff --git a/packages/cisco_duo/data_stream/auth/fields/fields.yml b/packages/cisco_duo/data_stream/auth/fields/fields.yml index d2da8453833..7b0d5b6786d 100644 --- a/packages/cisco_duo/data_stream/auth/fields/fields.yml +++ b/packages/cisco_duo/data_stream/auth/fields/fields.yml @@ -52,6 +52,10 @@ type: ip description: | The access device's IP address. + - name: port + type: long + description: | + The access device's port number. - name: is_encryption_enabled type: keyword description: | @@ -105,6 +109,10 @@ type: ip description: | The IP address of the authentication device. + - name: port + type: long + description: | + The network port of the authentication device. - name: location type: group fields: diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md index b057d707233..52cc99d0354 100644 --- a/packages/cisco_duo/docs/README.md +++ b/packages/cisco_duo/docs/README.md @@ -314,6 +314,7 @@ An example event for `auth` looks as following: | cisco_duo.auth.access_device.location.city | The city name of the access device using geoip location. | keyword | | cisco_duo.auth.access_device.location.country | The country of the access device using geoip location. | keyword | | cisco_duo.auth.access_device.location.state | The state name of the access device using geoip location. | keyword | +| cisco_duo.auth.access_device.port | The access device's port number. | long | | cisco_duo.auth.access_device.security_agents | Reports the security agents present on the endpoint as detected by the Duo Device Health app. | keyword | | cisco_duo.auth.alias | The username alias used to log in. | keyword | | cisco_duo.auth.application.key | The application's integration_key. | keyword | @@ -332,6 +333,7 @@ An example event for `auth` looks as following: | cisco_duo.auth.auth_device.location.country | The country of the authentication device using geoip location. | keyword | | cisco_duo.auth.auth_device.location.state | The state name of the authentication device using geoip location. | keyword | | cisco_duo.auth.auth_device.name | The name of the authentication device. | keyword | +| cisco_duo.auth.auth_device.port | The network port of the authentication device. | long | | cisco_duo.auth.email | The email address of the user, if known to Duo, otherwise none. | keyword | | cisco_duo.auth.event_type | The type of activity logged. | keyword | | cisco_duo.auth.factor | The authentication factor. | keyword | @@ -399,6 +401,7 @@ An example event for `auth` looks as following: | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | | source.user.email | User email address. | keyword | | source.user.group.name | Name of the group. | keyword | | source.user.id | Unique identifier of the user. | keyword | diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index c85cbcab2aa..6dfe08a634f 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_duo title: Cisco Duo -version: 1.1.4 +version: 1.1.6 license: basic description: Collect logs from Cisco Duo with Elastic Agent. type: integration diff --git a/packages/cisco_ise/_dev/build/build.yml b/packages/cisco_ise/_dev/build/build.yml new file mode 100644 index 00000000000..809e76063e9 --- /dev/null +++ b/packages/cisco_ise/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.0 diff --git a/packages/cisco_ise/_dev/build/docs/README.md b/packages/cisco_ise/_dev/build/docs/README.md new file mode 100644 index 00000000000..a2c19747c5d --- /dev/null +++ b/packages/cisco_ise/_dev/build/docs/README.md @@ -0,0 +1,36 @@ +# Cisco ISE + +The Cisco ISE integration collects and parses data from [Cisco Identity Services Engine](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) (ISE) using TCP/UDP. + +## Compatibility + +This module has been tested against `Cisco ISE server version 3.1.0.518`. + +## Requirements + +- Enable the integration with the TCP/UDP input. +- Sign in to Cisco ISE Portal. +- Configure Remote Syslog Collection Locations. + - **Procedure** + 1. In Cisco ISE Administrator Portal, go to **Administration** > **System** > **Logging** > **Remote Logging Targets**. + 2. Click **Add**. + ![Cisco ISE server setup image](../img/cisco-ise-setup.png) + 3. Enter all the **Required Details**. + 4. Set the maximum length to **8192**. + 5. Click **Submit**. + 6. Go to the **Remote Logging Targets** page and verify the creation of the new target. + +## Note +- It is recommended to have **8192** as Maximum Message Length. Segmentation for certain logs coming from Cisco ISE might cause issues with field mappings. + +## Logs + +Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) + +### log + +This is the `log` dataset. + +{{event "log"}} + +{{fields "log"}} \ No newline at end of file diff --git a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..05b786cd0f7 --- /dev/null +++ b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: '2.3' +services: + cisco_ise-log-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9025 -p=tcp /sample_logs/log.log" + cisco_ise-log-udp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9026 -p=udp /sample_logs/log.log" diff --git a/packages/cisco_ise/_dev/deploy/docker/sample_logs/log.log b/packages/cisco_ise/_dev/deploy/docker/sample_logs/log.log new file mode 100644 index 00000000000..f262a548d7f --- /dev/null +++ b/packages/cisco_ise/_dev/deploy/docker/sample_logs/log.log @@ -0,0 +1,124 @@ +<180>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083094 1 0 2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:43:05 isenode CISE_AD_Connector 0000041246 1 0 2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isenode1, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:43:05 isenode CISE_AD_Connector 0000041242 1 0 2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\, 81.2.69.1431.98, AD-Srv-Record=host.local\, 89.160.20.156, AD-Srv-Record=host.local\, 81.2.69.1431.94, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083074 1 0 2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083091 1 0 2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083075 1 0 2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083093 1 0 2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083092 1 0 2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 1 0 2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39, +<181>Mar 3 06:43:59 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000081797 1 0 2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful, +<181>Mar 3 08:25:58 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000082275 1 0 2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out, +<181>Mar 3 08:06:28 isehost CISE_Administrative_and_Operational_Audit 0000082182 1 0 2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found, +<181>Mar 3 08:46:56 isehost CISE_Administrative_and_Operational_Audit 0000082385 1 0 2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin, +<181>Mar 3 08:30:08 isehost CISE_Administrative_and_Operational_Audit 0000040579 1 0 2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\,Port = 9005\,IP Address = 10.0.14.137\,Facility Code = LOCAL6\,Length = 1024\,Description = QA TCP Collector\,Include Alarms = FALSE\,status = ENABLED\,Buffer Message = FALSE\,Buffer Size = 100\,Reconnect Timeout = 30\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA, +<181>Mar 3 09:05:16 isehost CISE_Administrative_and_Operational_Audit 0000082478 1 0 2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser, +<181>Mar 3 11:58:35 ise204 CISE_Administrative_and_Operational_Audit 0000083550 1 0 2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d, +<181>Mar 3 01:04:02 isehost CISE_Administrative_and_Operational_Audit 0000080239 1 0 2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler}, +<181>Mar 3 01:04:06 isehost CISE_Administrative_and_Operational_Audit 0000080240 1 0 2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553, +<181>Mar 3 09:24:13 isehost CISE_Administrative_and_Operational_Audit 0000082652 1 0 2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35, +<181>Mar 3 00:00:00 isehost CISE_Administrative_and_Operational_Audit 0000079938 1 0 2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system, +<181>Mar 3 00:01:01 isehost CISE_Administrative_and_Operational_Audit 0000079946 1 0 2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local, +<181>Mar 3 09:06:23 isehost CISE_Administrative_and_Operational_Audit 0000040765 1 0 2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost, +<181>Mar 3 09:08:33 isehost CISE_Administrative_and_Operational_Audit 0000082499 1 0 2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost, +<181>Mar 3 09:25:05 isehost CISE_Administrative_and_Operational_Audit 0000082666 1 0 2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35, +<181>Mar 3 08:31:21 isehost CISE_Administrative_and_Operational_Audit 0000082306 1 0 2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\, Log Severity Level = DEBUG\,Local Logging = enable\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories "Passed Authentications" has been edited successfully., +<181>Mar 10 11:04:19 isehost CISE_Administrative_and_Operational_Audit 0000130002 1 0 2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90, +<181>Mar 11 07:20:28 isehost CISE_Administrative_and_Operational_Audit 0000093200 1 0 2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost, +<181>Mar 10 05:25:13 isehost CISE_Administrative_and_Operational_Audit 0000128314 1 0 2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost, +<181>Mar 10 05:24:16 isehost CISE_Administrative_and_Operational_Audit 0000128311 1 0 2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost, +<181>Mar 9 19:00:42 isehost CISE_Administrative_and_Operational_Audit 0000083172 1 0 2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost, +<181>Mar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116964 1 0 2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost, +<181>Mar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116963 1 0 2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, +<181>Mar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116901 1 0 2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost, +<181>Mar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116902 1 0 2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, +<181>Mar 8 12:14:39 isehost CISE_Administrative_and_Operational_Audit 0000116896 1 0 2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost, +<183>Mar 3 09:22:59 ise204 CISE_Authentication_Flow_Diagnostics 0000082628 1 0 2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:24:13 ise204 CISE_Authentication_Flow_Diagnostics 0000082651 1 0 2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth20, Response={AuthenticationResult=Passed; }, +<182>Mar 3 09:22:51 ise204 CISE_Authentication_Flow_Diagnostics 0000082605 1 0 2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth18, Response={AuthenticationResult=Failed; }, +<183>Mar 3 09:22:59 ise204 CISE_Authentication_Flow_Diagnostics 0000082629 1 0 2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth19, Response={AuthenticationResult=UnknownUser; }, +<182>Mar 3 09:22:51 ise204 CISE_Authentication_Flow_Diagnostics 0000082606 1 0 2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth18, Response={AuthenticationResult=Failed; }, +<182>Mar 3 09:22:59 ise204 CISE_Authentication_Flow_Diagnostics 0000082630 1 0 2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth19, Response={AuthenticationResult=UnknownUser; }, +<182>Mar 3 11:37:34 ise204 CISE_Authentication_Flow_Diagnostics 0000083415 1 0 2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=ise204/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; }, +<182>Mar 3 09:22:59 ise204 CISE_Authentication_Flow_Diagnostics 0000082631 1 0 2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=ise204:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; }, +<182>Mar 3 09:24:13 ise204 CISE_Authentication_Flow_Diagnostics 0000082647 1 0 2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=ise204/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=ise204:userauth20, +<181>Mar 2 09:09:13 cisco-ise-host CISE_Failed_Attempts 0000075134 1 0 2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 10:36:16 cisco-ise-host CISE_Failed_Attempts 0000075876 1 0 2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076158 1 0 2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418, +<181>Mar 2 09:56:00 cisco-ise-host CISE_Failed_Attempts 0000075523 1 0 2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; }, +<182>Mar 3 11:20:37 cisco-ise-host CISE_Guest 0000083315 1 0 2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31, +<182>Mar 3 12:01:09 cisco-ise-host CISE_Guest 0000083571 1 0 2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083418 1 0 2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082649 1 0 2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20, +<183>Mar 3 09:22:51 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082604 1 0 2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082616 1 0 2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083419 1 0 2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082623 1 0 2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082625 1 0 2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082622 1 0 2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082626 1 0 2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082624 1 0 2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082627 1 0 2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082621 1 0 2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082618 1 0 2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082619 1 0 2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083416 1 0 2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<180>Feb 23 06:11:12 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000890 1 0 2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP, +<179>Mar 3 09:19:04 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000082575 1 0 2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628, +<180>Mar 3 09:24:09 isenode CISE_Internal_Operations_Diagnostics 0000040852 1 0 2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA, +<180>Mar 3 09:24:39 isenode CISE_Internal_Operations_Diagnostics 0000040857 1 0 2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA, +<183>Mar 3 00:00:00 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000079939 1 0 2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR, +<182>Mar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35, +<182>Mar 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35 +<179>Mar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate, +<181>Mar 3 11:37:34 cisco-ise-host CISE_Passed_Authentications 0000083423 1 0 2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M&portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7&action=cwa&type=drw&token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; }, +<181>Mar 2 13:27:48 cisco-ise-host CISE_Passed_Authentications 0000077038 1 0 2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231, +<181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; }, +<181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083407 1 0 2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082648 1 0 2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083420 1 0 2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083417 1 0 2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082646 1 0 2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083409 1 0 2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083406 1 0 2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<181>Feb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000959 1 0 2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:1.1.1.1, OperationStatus=RUNNING, AdminName=abc@abc.com.com, +<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC +<182>Apr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142722 1 0 2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52= +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076010 1 0 2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<183>Mar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083421 1 0 2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M&portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7&action=cwa&type=drw&token=65402552fb76ff96c08edaab722f880e; }, +<183>Mar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075815 1 0 2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79, +<183>Mar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075821 1 0 2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076021 1 0 2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; }, +<180>Feb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004585 1 0 2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075998 1 0 2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076011 1 0 2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<183>Mar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083405 1 0 2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<180>Mar 3 09:40:42 cisco-ise-host CISE_RADIUS_Diagnostics 0000082784 1 0 2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120, +<180>Mar 3 09:14:59 cisco-ise-host CISE_RADIUS_Diagnostics 0000082552 1 0 2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075999 1 0 2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076002 1 0 2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Feb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004570 1 0 2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\;36SessionID=cisco-ise-host/405244497/1\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; }, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076008 1 0 2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076007 1 0 2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076012 1 0 2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076020 1 0 2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076019 1 0 2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<180>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076018 1 0 2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076013 1 0 2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076003 1 0 2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076014 1 0 2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:53:10 cisco-ise-host CISE_RADIUS_Diagnostics 0000075982 1 0 2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076016 1 0 2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 1 0 2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<181>Mar 3 10:10:23 isehost CISE_System_Statistics 0000082933 1 0 2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10, +<181>Mar 3 10:11:58 81.2.69.143 CISE_System_Statistics 0000041100 1 0 2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M&T Session Database=running, PID: 2288787; M&T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled, +<181>Mar 3 10:08:59 isehost CISE_System_Statistics 0000082925 1 0 2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0, +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; } +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; } +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;} +<182>Mar 16 06:41:58 cisco-ise-host CISE_Threat_Centric_NAC 0000001923 1 0 2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, +<179>Mar 16 06:42:55 cisco-ise-host CISE_Threat_Centric_NAC 0000001938 1 0 2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected, +<180>Mar 3 00:02:46 isenode CISE_Threat_Centric_NAC 0000038251 1 0 2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749, diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml new file mode 100644 index 00000000000..f5b286a4da3 --- /dev/null +++ b/packages/cisco_ise/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2855 diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log new file mode 100644 index 00000000000..94f92a379a3 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log @@ -0,0 +1,13 @@ +<180>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083094 1 0 2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:43:05 isehost CISE_AD_Connector 0000041246 1 0 2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:43:05 isehost CISE_AD_Connector 0000041242 1 0 2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\, 81.2.69.1431.98, AD-Srv-Record=host.local\, 89.160.20.156, AD-Srv-Record=host.local\, 81.2.69.1431.94, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083074 1 0 2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083091 1 0 2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083075 1 0 2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083093 1 0 2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083092 1 0 2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 1 0 2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name, +<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39, +<179>Mar 14 05:59:30 cisco-ise-host CISE_AD_Connector 0000000032 1 0 2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108, +<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:42:25 +02:00 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json new file mode 100644 index 00000000000..dda9c53ca8d --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json @@ -0,0 +1,859 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T10:42:25.842Z", + "cisco_ise": { + "log": { + "ad": { + "admin": "ise.host.local", + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "error": { + "details": "The user account is invalid" + }, + "forest": "host.local", + "hostname": "cisco-ise-host@host.local", + "ip": "89.160.20.156", + "log_id": "1645524126/47", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name", + "message": { + "code": "25012", + "description": "AD-Connector: Domain join failed", + "id": "0000083094" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083094 1 0 2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name,", + "sequence": 83161, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host", + "cisco-ise-host@host.local" + ], + "ip": [ + "89.160.20.156" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:43:05.020Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "hostname": "isehost", + "ip": "89.160.20.156", + "log_id": "1645707128/8", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name", + "message": { + "code": "25013", + "description": "AD-Connector: Domain leave succeeded", + "id": "0000041246" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:43:05 isehost CISE_AD_Connector 0000041246 1 0 2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name,", + "sequence": 41292, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "89.160.20.156" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:43:05.018Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "name": "host.local" + }, + "log_id": "1645707128/4", + "srv": { + "query": "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local", + "record": [ + "host.local 81.2.69.1431.98", + "host.local 89.160.20.156", + "host.local 81.2.69.1431.94" + ] + } + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local 81.2.69.1431.98, AD-Srv-Record=host.local 89.160.20.156, AD-Srv-Record=host.local 81.2.69.1431.94", + "message": { + "code": "25015", + "description": "AD-Connector: DNS SRV query succeeded", + "id": "0000041242" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:43:05 isehost CISE_AD_Connector 0000041242 1 0 2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\\, 81.2.69.1431.98, AD-Srv-Record=host.local\\, 89.160.20.156, AD-Srv-Record=host.local\\, 81.2.69.1431.94,", + "sequence": 41288, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\\, 81.2.69.1431.98, AD-Srv-Record=host.local\\, 89.160.20.156, AD-Srv-Record=host.local\\, 81.2.69.1431.94,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:40:58.891Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "name": "89.160.20.112" + }, + "error": { + "details": "The domain name specified in the query was not found" + }, + "log_id": "1645524126/37", + "srv": { + "query": "_ldap._tcp.dc._msdcs.89.160.20.112" + } + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112", + "message": { + "code": "25016", + "description": "AD-Connector: DNS SRV query failed", + "id": "0000083074" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083074 1 0 2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112,", + "sequence": 83141, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.835Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "ip": "89.160.20.156", + "log_id": "1645524126/44", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name", + "message": { + "code": "25017", + "description": "AD-Connector: DC discovery succeeded", + "id": "0000083091" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083091 1 0 2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name,", + "sequence": 83158, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.156" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:40:58.892Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "name": "89.160.20.112" + }, + "error": { + "details": "The domain name specified in the query was not found" + }, + "log_id": "1645524126/38" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38", + "message": { + "code": "25018", + "description": "AD-Connector: DC discovery failed", + "id": "0000083075" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083075 1 0 2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38,", + "sequence": 83142, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.837Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local." + }, + "hostname": "host.local.", + "ip": "89.160.20.156", + "log_id": "1645524126/46" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46", + "message": { + "code": "25033", + "description": "AD-Connector: DNS A/AAAA query succeeded", + "id": "0000083093" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083093 1 0 2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46,", + "sequence": 83160, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46,", + "related": { + "hosts": [ + "cisco-ise-host", + "host.local." + ], + "ip": [ + "89.160.20.156" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.835Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "ip": "89.160.20.156", + "log_id": "1645524126/45", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name", + "message": { + "code": "25037", + "description": "AD-Connector: DC record cached", + "id": "0000083092" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083092 1 0 2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name,", + "sequence": 83159, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.156" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.835Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "log_id": "1645524126/42", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name", + "message": { + "code": "25041", + "description": "AD-Connector: ISE Server site discovered", + "id": "0000083089" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 1 0 2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name,", + "sequence": 83156, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:40:58.892Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "name": "89.160.20.112" + }, + "log_id": "1645524126/39" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39", + "message": { + "code": "25046", + "description": "AD-Connector: Joined domain is unavailable", + "id": "0000083076" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39,", + "sequence": 83143, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-14T05:59:30.442Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "name": "10.0.14.108" + } + }, + "category": { + "name": "CISE_AD_Connector" + }, + "config_version": { + "id": 10 + }, + "log_details": "ConfigVersionId=10, AD-Domain=10.0.14.108", + "message": { + "code": "25058", + "description": "AD-Connector: ISE is not joined to an Active Directory Domain Controller", + "id": "0000000032" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ad-connector", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c179\u003eMar 14 05:59:30 cisco-ise-host CISE_AD_Connector 0000000032 1 0 2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108,", + "sequence": 122, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.000Z", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "log_id": "1645676126/42", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name", + "message": { + "id": "0000083089" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.000+02:00", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "log_id": "1645676126/42", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name", + "message": { + "id": "0000083089" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 +02:00 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", + "timezone": "+02:00" + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log new file mode 100644 index 00000000000..b37aff3d6b2 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log @@ -0,0 +1,33 @@ +<181>Mar 3 06:43:59 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000081797 1 0 2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful, +<181>Mar 3 08:25:58 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000082275 1 0 2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out, +<181>Mar 3 08:06:28 isehost CISE_Administrative_and_Operational_Audit 0000082182 1 0 2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found, +<181>Mar 3 08:46:56 isehost CISE_Administrative_and_Operational_Audit 0000082385 1 0 2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin, +<181>Mar 3 08:30:08 isehost CISE_Administrative_and_Operational_Audit 0000040579 1 0 2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\,Port = 9005\,IP Address = 10.0.14.137\,Facility Code = LOCAL6\,Length = 1024\,Description = QA TCP Collector\,Include Alarms = FALSE\,status = ENABLED\,Buffer Message = FALSE\,Buffer Size = 100\,Reconnect Timeout = 30\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA, +<181>Mar 3 09:05:16 isehost CISE_Administrative_and_Operational_Audit 0000082478 1 0 2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser, +<181>Mar 3 11:58:35 isehost CISE_Administrative_and_Operational_Audit 0000083550 1 0 2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d, +<181>Mar 3 01:04:02 isehost CISE_Administrative_and_Operational_Audit 0000080239 1 0 2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler}, +<181>Mar 3 01:04:06 isehost CISE_Administrative_and_Operational_Audit 0000080240 1 0 2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553, +<181>Mar 3 09:24:13 isehost CISE_Administrative_and_Operational_Audit 0000082652 1 0 2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35, +<181>Mar 3 00:00:00 isehost CISE_Administrative_and_Operational_Audit 0000079938 1 0 2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system, +<181>Mar 3 00:01:01 isehost CISE_Administrative_and_Operational_Audit 0000079946 1 0 2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local, +<181>Mar 3 09:06:23 isehost CISE_Administrative_and_Operational_Audit 0000040765 1 0 2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost, +<181>Mar 3 09:08:33 isehost CISE_Administrative_and_Operational_Audit 0000082499 1 0 2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost, +<181>Mar 3 09:25:05 isehost CISE_Administrative_and_Operational_Audit 0000082666 1 0 2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35, +<181>Mar 3 08:31:21 isehost CISE_Administrative_and_Operational_Audit 0000082306 1 0 2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\, Log Severity Level = DEBUG\,Local Logging = enable\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories "Passed Authentications" has been edited successfully., +<181>Mar 10 11:04:19 isehost CISE_Administrative_and_Operational_Audit 0000130002 1 0 2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90, +<181>Mar 11 07:20:28 isehost CISE_Administrative_and_Operational_Audit 0000093200 1 0 2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost, +<181>Mar 10 05:25:13 isehost CISE_Administrative_and_Operational_Audit 0000128314 1 0 2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost, +<181>Mar 10 05:24:16 isehost CISE_Administrative_and_Operational_Audit 0000128311 1 0 2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost, +<181>Mar 9 19:00:42 isehost CISE_Administrative_and_Operational_Audit 0000083172 1 0 2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost, +<181>Mar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116964 1 0 2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost, +<181>Mar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116963 1 0 2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, +<181>Mar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116901 1 0 2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost, +<181>Mar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116902 1 0 2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, +<181>Mar 8 12:14:39 isehost CISE_Administrative_and_Operational_Audit 0000116896 1 0 2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost, +<181>Mar 15 08:30:16 isehost CISE_Administrative_and_Operational_Audit 0000001486 2 1 AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=User logged out, +<181>Mar 15 09:34:39 isehost CISE_Administrative_and_Operational_Audit 0000001602 2 1 AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=Administrator authentication successful, +<181>Mar 11 22:52:25 isehost CISE_Administrative_and_Operational_Audit 0000049530 1 0 2022-03-11 22:52:25.650 +00:00 0000139953 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown, +<181>Mar 14 07:12:06 isehost CISE_Administrative_and_Operational_Audit 0000000155 1 0 2022-03-14 07:12:06.324 +00:00 0000000245 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\, Log Severity Level = INFO\,Local Logging = enable\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories "Administrative and Operational Audit" has been edited successfully., +<181>Mar 14 09:43:33 isehost CISE_Administrative_and_Operational_Audit 0000000312 1 0 2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown, +<149>Mar 20 12:13:30 isehost CISE_Administrative_and_Operational_Audit 0000002725 1 0 2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore, +<181>Mar 29 05:53:36 isehost CISE_Administrative_and_Operational_Audit 0000000931 1 0 2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json new file mode 100644 index 00000000000..1013eaa7b0a --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json @@ -0,0 +1,2675 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T06:43:59.935Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI", + "session": "AdminGUI_Session" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1598 + }, + "log_details": "ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful", + "message": { + "code": "51001", + "description": "Administrator-Login: Administrator authentication succeeded", + "id": "0000081797" + }, + "operation_message": { + "text": "Administrator authentication successful" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "someadmin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 06:43:59 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000081797 1 0 2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful,", + "sequence": 81864, + "timezone": "+00:00", + "type": [ + "admin", + "info" + ] + }, + "host": { + "ip": "81.2.69.143" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful,", + "related": { + "ip": [ + "81.2.69.143" + ], + "user": [ + "someadmin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T08:25:58.063Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI", + "session": "AdminGUI_Session" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1615 + }, + "log_details": "ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out", + "message": { + "code": "51002", + "description": "Administrator-Login: Administrator logged off", + "id": "0000082275" + }, + "operation_message": { + "text": "User logged out" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "someadmin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 08:25:58 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000082275 1 0 2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out,", + "sequence": 82342, + "timezone": "+00:00", + "type": [ + "admin", + "info" + ] + }, + "host": { + "ip": "81.2.69.143" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out,", + "related": { + "ip": [ + "81.2.69.143" + ], + "user": [ + "someadmin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T08:06:28.020Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1610 + }, + "log_details": "ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found", + "message": { + "code": "51020", + "description": "Administrator-Login: Administrator authentication failed. Login username does not exist.", + "id": "0000082182" + }, + "operation_message": { + "text": "User not found" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "INVALID" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 08:06:28 isehost CISE_Administrative_and_Operational_Audit 0000082182 1 0 2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found,", + "sequence": 82249, + "timezone": "+00:00", + "type": [ + "admin", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "INVALID" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T08:46:56.310Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1624 + }, + "log_details": "ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin", + "message": { + "code": "51021", + "description": "Administrator-Login: Administrator authentication failed. Wrong password.", + "id": "0000082385" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "172.16.22.156", + "user": { + "name": "someadmin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 08:46:56 isehost CISE_Administrative_and_Operational_Audit 0000082385 1 0 2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin,", + "sequence": 82452, + "timezone": "+00:00", + "type": [ + "admin", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "172.16.22.156" + ], + "user": [ + "someadmin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T08:30:08.728Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_change": { + "data": "Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\," + }, + "config_version": { + "id": 786 + }, + "log_details": "ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA", + "message": { + "code": "52000", + "description": "Configuration-Changes: Added configuration", + "id": "0000040579" + }, + "object": { + "name": "TCP Collector QA", + "type": "UPSLogTarget" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "internal-sys-user" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 08:30:08 isehost CISE_Administrative_and_Operational_Audit 0000040579 1 0 2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA,", + "sequence": 40625, + "timezone": "+00:00", + "type": [ + "creation", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "internal-sys-user" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:05:16.475Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI", + "session": "ProfilerSession" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_change": { + "data": "NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser" + }, + "config_version": { + "id": 1626 + }, + "log_details": "ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser", + "message": { + "code": "52002", + "description": "Configuration-Changes: Deleted configuration", + "id": "0000082478" + }, + "object": { + "name": "someuser", + "type": "NACServer" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "someadmin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:05:16 isehost CISE_Administrative_and_Operational_Audit 0000082478 1 0 2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser,", + "sequence": 82545, + "timezone": "+00:00", + "type": [ + "deletion", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "someadmin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T11:58:35.811Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "component": "Administration", + "config_change": { + "data": "object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d" + }, + "config_version": { + "id": 1698 + }, + "log_details": "ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d", + "message": { + "code": "52002", + "description": "Configuration-Changes: Deleted configuration", + "id": "0000083550" + }, + "object": { + "internal": { + "id": "38bcf4bf-f61a-4028-8b69-ef94eceb2a8d" + }, + "name": "test123", + "type": "Network Access Users" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "172.16.22.156", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 11:58:35 isehost CISE_Administrative_and_Operational_Audit 0000083550 1 0 2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d,", + "sequence": 83617, + "timezone": "+00:00", + "type": [ + "deletion", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "172.16.22.156" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T01:04:02.331Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1553 + }, + "feed_service": { + "feed": { + "name": "Profiler", + "version": "1,2,3,4" + }, + "host": "ise.cisco.com", + "port": "8443", + "query": { + "from_time": "2022-02-22T00:22:00.653Z" + } + }, + "log_details": "ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler}", + "message": { + "code": "60067", + "description": "FeedService: Profiler Feed Service - automatic download intitiated", + "id": "0000080239" + }, + "operation_message": { + "text": "FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "feedservice", + "category": [ + "process" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 01:04:02 isehost CISE_Administrative_and_Operational_Audit 0000080239 1 0 2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler},", + "sequence": 80306, + "timezone": "+00:00", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler},", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T01:04:06.254Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1553 + }, + "log_details": "ConfigVersionId=1553", + "message": { + "code": "60070", + "description": "FeedService: Profiler Feed Service - No Profiles Downloaded", + "id": "0000080240" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "feedservice", + "category": [ + "process" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 01:04:06 isehost CISE_Administrative_and_Operational_Audit 0000080240 1 0 2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553,", + "sequence": 80307, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:24:13.263Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1628 + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "log_details": "ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35", + "message": { + "code": "60078", + "description": "MyDevices: MyDevices user has successfully authenticated", + "id": "0000082652" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "isehost.local" + }, + "response": { + "time": 35 + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:24:13 isehost CISE_Administrative_and_Operational_Audit 0000082652 1 0 2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "sequence": 82719, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost", + "ip": "81.2.69.143" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "related": { + "hosts": [ + "isehost", + "isehost.local" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "someuser" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "someuser" + } + }, + { + "@timestamp": "2022-03-03T00:00:00.478Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1543 + }, + "log_details": "ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system", + "message": { + "code": "60456", + "description": "System-Management: Started CRL/OCSP periodic certificate check", + "id": "0000079938" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "system" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "process" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 00:00:00 isehost CISE_Administrative_and_Operational_Audit 0000079938 1 0 2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system,", + "sequence": 80005, + "timezone": "+00:00", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T00:01:01.464Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost.local" + }, + "admin": { + "interface": "Internal" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1545 + }, + "log_details": "ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local", + "message": { + "code": "60461", + "description": "System-Management: Account disabled due to user level date expiry", + "id": "0000079946" + }, + "operation_message": { + "text": "Account employee10 is disabled" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "internal-sys-user" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 00:01:01 isehost CISE_Administrative_and_Operational_Audit 0000079946 1 0 2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local,", + "sequence": 80013, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "internal-sys-user" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:06:23.123Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "UNKNOWN" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 794 + }, + "log_details": "ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost", + "message": { + "code": "61025", + "description": "EAP-TLS: Open secure connection with TLS peer", + "id": "0000040765" + }, + "operation_message": { + "text": "Connection created from 10.0.9.204:42863 to 169.254.2.3:5671" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap-tls", + "category": [ + "network" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:06:23 isehost CISE_Administrative_and_Operational_Audit 0000040765 1 0 2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost,", + "sequence": 40810, + "timezone": "+00:00", + "type": [ + "connection", + "info", + "start" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:08:33.981Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "UNKNOWN" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1626 + }, + "log_details": "ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost", + "message": { + "code": "61026", + "description": "EAP-TLS: Shutdown secure connection with TLS peer", + "id": "0000082499" + }, + "operation_message": { + "text": "Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap-tls", + "category": [ + "network" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:08:33 isehost CISE_Administrative_and_Operational_Audit 0000082499 1 0 2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost,", + "sequence": 82565, + "timezone": "+00:00", + "type": [ + "connection", + "end", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:25:05.100Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1630 + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "log_details": "ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35", + "message": { + "code": "61077", + "description": "MyDevices: MyDevices has been successfully logged out", + "id": "0000082666" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "isehost.local" + }, + "response": { + "time": 35 + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:25:05 isehost CISE_Administrative_and_Operational_Audit 0000082666 1 0 2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "sequence": 82733, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost", + "ip": "81.2.69.143" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "related": { + "hosts": [ + "isehost", + "isehost.local" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "someuser" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "someuser" + } + }, + { + "@timestamp": "2022-03-03T08:31:21.075Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "assigned_targets": [ + "LogCollector", + "LogCollector2", + "ProfilerRadiusProbe" + ], + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_change": { + "data": "Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}" + }, + "config_version": { + "id": 1621 + }, + "failure": { + "flag": false + }, + "local_logging": "enable", + "log_details": "ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories \"Passed Authentications\" has been edited successfully.", + "message": { + "code": "52001", + "description": "Configuration-Changes: Changed configuration", + "id": "0000082306" + }, + "object": { + "name": "AAA Diagnostics", + "type": "UPSCategory" + }, + "operation_message": { + "text": "LoggingCategories \"Passed Authentications\" has been edited successfully." + }, + "request_response": { + "type": "initial" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "someadmin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 08:31:21 isehost CISE_Administrative_and_Operational_Audit 0000082306 1 0 2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories \"Passed Authentications\" has been edited successfully.,", + "sequence": 82373, + "timezone": "+00:00", + "type": [ + "change", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories \"Passed Authentications\" has been edited successfully.,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "someadmin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-10T11:04:19.271Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 3117 + }, + "failure": { + "reason": "22040 Wrong password or invalid shared secret" + }, + "log_details": "ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90", + "message": { + "code": "60077", + "description": "MyDevices: MyDevices user authentication has failed", + "id": "0000130002" + }, + "portal": { + "name": "test-mydevices" + }, + "psn": { + "hostname": "isehost.local" + }, + "response": { + "time": 90 + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 10 11:04:19 isehost CISE_Administrative_and_Operational_Audit 0000130002 1 0 2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90, ", + "sequence": 130069, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost", + "ip": "172.16.17.255" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90,", + "related": { + "hosts": [ + "isehost", + "isehost.local" + ], + "ip": [ + "172.16.17.255" + ], + "user": [ + "test1123" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test1123" + } + }, + { + "@timestamp": "2022-03-11T07:20:28.019Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1703 + }, + "failure": { + "flag": true + }, + "log_details": "ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost", + "message": { + "code": "58005", + "description": "Process-Management: ISE process was restarted by watchdog service", + "id": "0000093200" + }, + "operation_message": { + "text": "Process: 'ISE Stunnel Service' started by ISE watchdog process" + }, + "request_response": { + "type": "final" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "system" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "process-management", + "category": [ + "iam", + "process" + ], + "kind": "event", + "original": "\u003c181\u003eMar 11 07:20:28 isehost CISE_Administrative_and_Operational_Audit 0000093200 1 0 2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost, ", + "sequence": 93246, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-10T05:25:13.944Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 3068 + }, + "log_details": "ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost", + "message": { + "code": "60094", + "description": "System-Management: ISE Backup has completed successfully", + "id": "0000128314" + }, + "operation_message": { + "text": "Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c181\u003eMar 10 05:25:13 isehost CISE_Administrative_and_Operational_Audit 0000128314 1 0 2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost, ", + "sequence": 128381, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-10T05:24:16.414Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 3068 + }, + "log_details": "ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost", + "message": { + "code": "60093", + "description": "System-Management: ISE Backup has started", + "id": "0000128311" + }, + "operation_message": { + "text": "Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c181\u003eMar 10 05:24:16 isehost CISE_Administrative_and_Operational_Audit 0000128311 1 0 2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost, ", + "sequence": 128378, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-09T19:00:42.763Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 1537 + }, + "log_details": "ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost", + "message": { + "code": "60134", + "description": "System-Management: DNS Resolution failure", + "id": "0000083172" + }, + "operation_message": { + "text": "DNS resolution failed for the hostname isehost.local against the currently configured name servers." + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "system" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "iam", + "network" + ], + "kind": "event", + "original": "\u003c181\u003eMar 9 19:00:42 isehost CISE_Administrative_and_Operational_Audit 0000083172 1 0 2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost, ", + "sequence": 83218, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "system" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-08T12:26:58.391Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 2726 + }, + "log_details": "ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost", + "message": { + "code": "60188", + "description": "Administrator-Login: An attempted SSH connection has failed", + "id": "0000116964" + }, + "operation_message": { + "text": "Received disconnect from 81.2.69.143 port 36953:11: disconnected by user" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116964 1 0 2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost, ", + "sequence": 117031, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-08T12:26:58.390Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 2726 + }, + "log_details": "ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost", + "message": { + "code": "60116", + "description": "Administrator-Login: A CLI user has logged out from SSH", + "id": "0000116963" + }, + "operation_message": { + "text": "User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116963 1 0 2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, ", + "sequence": 117030, + "timezone": "+00:00", + "type": [ + "user", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-08T12:15:32.654Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 2718 + }, + "log_details": "ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost", + "message": { + "code": "60080", + "description": "Administrator-Login: A SSH CLI user has successfully logged in", + "id": "0000116901" + }, + "operation_message": { + "text": "Accepted password for admin from 81.2.69.143 port 36953 ssh2" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116901 1 0 2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost, ", + "sequence": 116968, + "timezone": "+00:00", + "type": [ + "user", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-08T12:15:32.654Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 2718 + }, + "log_details": "ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost", + "message": { + "code": "60115", + "description": "Administrator-Login: A CLI user has logged in from SSH", + "id": "0000116902" + }, + "operation_message": { + "text": "User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116902 1 0 2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, ", + "sequence": 116969, + "timezone": "+00:00", + "type": [ + "user", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-08T12:14:39.376Z", + "cisco_ise": { + "log": { + "acs": { + "instance": "isehost" + }, + "admin": { + "interface": "CLI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_version": { + "id": 2718 + }, + "log_details": "ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost", + "message": { + "code": "60081", + "description": "Administrator-Login: A SSH CLI user has attempted unsuccessfully to login", + "id": "0000116896" + }, + "operation_message": { + "text": "Failed password for root from 81.2.69.143 port 36661 ssh2" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "administrator-login", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 8 12:14:39 isehost CISE_Administrative_and_Operational_Audit 0000116896 1 0 2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost, ", + "sequence": 116963, + "timezone": "+00:00", + "type": [ + "user", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-15T08:30:16.000Z", + "cisco_ise": { + "log": { + "admin": { + "session": "AdminGUI_Session" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "log_details": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=User logged out", + "message": { + "id": "0000001486" + }, + "operation_message": { + "text": "User logged out" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "client": { + "ip": "10.0.1.1", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c181\u003eMar 15 08:30:16 isehost CISE_Administrative_and_Operational_Audit 0000001486 2 1 AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=User logged out," + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=User logged out,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.1.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-15T09:34:39.000Z", + "cisco_ise": { + "log": { + "admin": { + "session": "AdminGUI_Session" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "log_details": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=Administrator authentication successful", + "message": { + "id": "0000001602" + }, + "operation_message": { + "text": "Administrator authentication successful" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "client": { + "ip": "10.0.1.1", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c181\u003eMar 15 09:34:39 isehost CISE_Administrative_and_Operational_Audit 0000001602 2 1 AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=Administrator authentication successful, " + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=Administrator authentication successful,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.1.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-11T22:52:25.650Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "component": "Administration", + "config_version": { + "id": 3426 + }, + "failure": { + "flag": false + }, + "log_details": "ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown", + "message": { + "code": "52001", + "description": "Configuration-Changes: Changed configuration", + "id": "0000049530" + }, + "object": { + "internal": { + "id": "unknown" + }, + "name": "Machine Authentication Settings", + "type": "Machine Authentication Settings" + }, + "request_response": { + "type": "initial" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "internal-sys-user" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 11 22:52:25 isehost CISE_Administrative_and_Operational_Audit 0000049530 1 0 2022-03-11 22:52:25.650 +00:00 0000139953 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown, ", + "sequence": 139953, + "timezone": "+00:00", + "type": [ + "change", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-11 22:52:25.650 +00:00 0000139953 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "internal-sys-user" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-14T07:12:06.324Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "assigned_targets": [ + "LogCollector", + "LogCollector2", + "ProfilerRadiusProbe", + "TCP Collector KS1", + "TCP Collector QA", + "test_sec_log", + "Test_TCP", + "test_tcp", + "test_tcp2", + "test_udp", + "UDP Collector KS1", + "UDP Collector QA" + ], + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_change": { + "data": "Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}" + }, + "config_version": { + "id": 97 + }, + "failure": { + "flag": false + }, + "local_logging": "enable", + "log_details": "ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories \"Administrative and Operational Audit\" has been edited successfully.", + "message": { + "code": "52001", + "description": "Configuration-Changes: Changed configuration", + "id": "0000000155" + }, + "object": { + "name": "System Statistics", + "type": "UPSCategory" + }, + "operation_message": { + "text": "LoggingCategories \"Administrative and Operational Audit\" has been edited successfully." + }, + "request_response": { + "type": "initial" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 14 07:12:06 isehost CISE_Administrative_and_Operational_Audit 0000000155 1 0 2022-03-14 07:12:06.324 +00:00 0000000245 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories \"Administrative and Operational Audit\" has been edited successfully., ", + "sequence": 245, + "timezone": "+00:00", + "type": [ + "change", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-14 07:12:06.324 +00:00 0000000245 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories \"Administrative and Operational Audit\" has been edited successfully.,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-14T09:43:33.233Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "component": "UNKNOWN", + "config_change": { + "data": "object updated: Name=testad1" + }, + "config_version": { + "id": 55 + }, + "failure": { + "flag": false + }, + "log_details": "ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown", + "message": { + "code": "52001", + "description": "Configuration-Changes: Changed configuration", + "id": "0000000312" + }, + "object": { + "internal": { + "id": "unknown" + }, + "name": "testad1", + "type": "Active Directory Instance" + }, + "request_response": { + "type": "initial" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 14 09:43:33 isehost CISE_Administrative_and_Operational_Audit 0000000312 1 0 2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,", + "sequence": 402, + "timezone": "+00:00", + "type": [ + "change", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-20T12:13:30.185Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "config_change": { + "data": "Local Storage Period = 1 days" + }, + "config_version": { + "id": 546 + }, + "failure": { + "flag": false + }, + "log_details": "ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore", + "message": { + "code": "52001", + "description": "Configuration-Changes: Changed configuration", + "id": "0000002725" + }, + "object": { + "name": "LocalStore", + "type": "UPSLogSettings" + }, + "request_response": { + "type": "initial" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "10.0.9.204", + "user": { + "name": "internal-sys-user" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c149\u003eMar 20 12:13:30 isehost CISE_Administrative_and_Operational_Audit 0000002725 1 0 2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,", + "sequence": 3033, + "timezone": "+00:00", + "type": [ + "change", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 149, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204" + ], + "user": [ + "internal-sys-user" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-29T05:53:36.769Z", + "cisco_ise": { + "log": { + "admin": { + "interface": "GUI" + }, + "category": { + "name": "CISE_Administrative_and_Operational_Audit" + }, + "component": "Network Access", + "config_version": { + "id": 258 + }, + "log_details": "ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown", + "message": { + "code": "52002", + "description": "Configuration-Changes: Deleted configuration", + "id": "0000000931" + }, + "object": { + "internal": { + "id": "unknown" + }, + "name": "test123test123test123test123test", + "type": "Active Directory Instance" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.144", + "user": { + "name": "admin" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "configuration-changes", + "category": [ + "iam", + "configuration" + ], + "kind": "event", + "original": "\u003c181\u003eMar 29 05:53:36 isehost CISE_Administrative_and_Operational_Audit 0000000931 1 0 2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,", + "sequence": 1104, + "timezone": "+00:00", + "type": [ + "deletion", + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log new file mode 100644 index 00000000000..c8a4418faae --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log @@ -0,0 +1,10 @@ +<183>Mar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082628 1 0 2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082651 1 0 2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; }, +<182>Mar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082605 1 0 2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; }, +<183>Mar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082629 1 0 2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }, +<182>Mar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082606 1 0 2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; }, +<182>Mar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082630 1 0 2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }, +<182>Mar 3 11:37:34 isehost CISE_Authentication_Flow_Diagnostics 0000083415 1 0 2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; }, +<182>Mar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082631 1 0 2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; }, +<182>Mar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082647 1 0 2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20, +<182>Mar 28 11:23:25 isehost CISE_Authentication_Flow_Diagnostics 0000000130 3 1 SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json new file mode 100644 index 00000000000..2cf9879d7be --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json @@ -0,0 +1,1028 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T09:22:59.360Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }", + "message": { + "code": "22016", + "description": "Workflow: Identity sequence completed iterating the IDStores", + "id": "0000082628" + }, + "response": { + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + }, + "authentication": { + "identity_stores": "All_AD_Join_Points" + } + }, + "workflow": { + "current_id": { + "store_index": 2 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082628 1 0 2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82695, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "admin" + ] + } + }, + { + "@timestamp": "2022-03-03T09:24:13.238Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/115" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth20" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; }", + "message": { + "code": "22037", + "description": "Workflow: Authentication Passed", + "id": "0000082651" + }, + "response": { + "AuthenticationResult": "Passed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + }, + "authentication": { + "identity_stores": "Internal Users" + } + }, + "workflow": { + "current_id": { + "store_index": 0 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082651 1 0 2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; },", + "sequence": 82718, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "test" + ] + } + }, + { + "@timestamp": "2022-03-03T09:22:51.639Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/110" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth18" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; }", + "message": { + "code": "22040", + "description": "Authentication: Wrong password or invalid shared secret", + "id": "0000082605" + }, + "response": { + "AuthenticationResult": "Failed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "current_id": { + "store_index": 0 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "authentication", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082605 1 0 2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "sequence": 82672, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "employee1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "employee1" + ] + } + }, + { + "@timestamp": "2022-03-03T09:22:59.360Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }", + "message": { + "code": "22056", + "description": "Workflow: Subject not found in the applicable identity store(s)", + "id": "0000082629" + }, + "response": { + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "current_id": { + "store_index": 2 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082629 1 0 2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82696, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "admin" + ] + } + }, + { + "@timestamp": "2022-03-03T09:22:51.639Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/110" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth18" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; }", + "message": { + "code": "22057", + "description": "Workflow: The advanced option that is configured for a failed authentication request is used", + "id": "0000082606" + }, + "response": { + "AuthenticationResult": "Failed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + }, + "authentication": { + "identity_stores": "Internal Users" + } + }, + "workflow": { + "current_id": { + "store_index": 0 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082606 1 0 2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "sequence": 82673, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "employee1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "employee1" + ] + } + }, + { + "@timestamp": "2022-03-03T09:22:59.361Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; }", + "message": { + "code": "22058", + "description": "Workflow: The advanced option that is configured for an unknown user is used", + "id": "0000082630" + }, + "response": { + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "current_id": { + "store_index": 2 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082630 1 0 2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82697, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "admin" + ] + } + }, + { + "@timestamp": "2022-03-03T11:37:34.928Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "authentication": { + "method": "Lookup" + }, + "calling_station": { + "id": "92:09:00:00:00:01" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "currentid": { + "store_name": "Internal Endpoints" + }, + "log_details": "ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; }", + "message": { + "code": "22060", + "description": "Workflow: The 'Continue' advanced option is configured in case of a failed authentication request", + "id": "0000083415" + }, + "nas": { + "ip": "10.0.14.108" + }, + "response": { + "AuthenticationAction": "Continue", + "AuthenticationResult": "UnknownUser", + "QueryResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "workflow": { + "current_id": { + "store_index": 0 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Drop", + "user_not_found": "Continue" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "destination": { + "ip": "10.0.9.204" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 11:37:34 isehost CISE_Authentication_Flow_Diagnostics 0000083415 1 0 2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; },", + "sequence": 83482, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; },", + "related": { + "hosts": [ + "isehost" + ], + "ip": [ + "10.0.9.204", + "10.0.14.108" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-03T09:22:59.361Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; }", + "message": { + "code": "22061", + "description": "Workflow: The 'Reject' advanced option is configured in case of a failed authentication request", + "id": "0000082631" + }, + "response": { + "AuthenticationAction": "Reject", + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "current_id": { + "store_index": 2 + }, + "if": { + "authentication_failed": "Reject", + "process_error": "Reject", + "user_not_found": "Reject" + }, + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "workflow", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082631 1 0 2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; },", + "sequence": 82698, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; },", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "admin" + ] + } + }, + { + "@timestamp": "2022-03-03T09:24:13.235Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/115" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth20" + } + }, + "log_details": "ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20", + "message": { + "code": "22072", + "description": "Authentication: Selected identity source sequence", + "id": "0000082647" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "authentication", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082647 1 0 2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20,", + "sequence": 82714, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20,", + "related": { + "hosts": [ + "isehost" + ], + "user": [ + "test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "test" + ] + } + }, + { + "@timestamp": "2022-03-28T11:23:25.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/437837646/2" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Authentication_Flow_Diagnostics" + }, + "log_details": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence", + "message": { + "id": "0000000130" + }, + "segment": { + "number": 1, + "total": 3 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + }, + "workflow": { + "sequence": { + "type": "AuthenticationSequence" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 28 11:23:25 isehost CISE_Authentication_Flow_Diagnostics 0000000130 3 1 SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log new file mode 100644 index 00000000000..56eefeaa53f --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log @@ -0,0 +1,7 @@ +<181>Mar 2 09:09:13 cisco-ise-host CISE_Failed_Attempts 0000075134 1 0 2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 10:36:16 cisco-ise-host CISE_Failed_Attempts 0000075876 1 0 2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076158 1 0 2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418, +<181>Mar 2 09:56:00 cisco-ise-host CISE_Failed_Attempts 0000075523 1 0 2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, +<181>Mar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; }, +<182>Apr 27 11:11:09 gg.hhh.iii.com CISE_Failed_Attempts 0000000169 1 0 2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\;28SessionID=abc12/178657019/44\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; } +<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076157 2 1 ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json new file mode 100644 index 00000000000..34cf58927a0 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json @@ -0,0 +1,1235 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-02T09:09:13.790Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/47" + } + }, + "calling_station": { + "id": "00-23-DF-00-00-01" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1364 + }, + "device": { + "type": "Device Type#All Device Types" + }, + "dtls_support": "Unknown", + "failure": { + "reason": "11036 The Message-Authenticator RADIUS attribute is invalid" + }, + "ipsec": "IPSEC#Is IPSEC Device#No", + "location": "Location#All Locations", + "log_details": "ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No", + "message": { + "code": "5405", + "description": "Failed-Attempt: RADIUS Request dropped", + "id": "0000075134" + }, + "model": { + "name": "Unknown" + }, + "nas": { + "ip": "81.2.69.193", + "port": { + "id": "G0/25", + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "IPSEC#Is IPSEC Device#No", + "Location#All Locations", + "Device Type#All Device Types" + ], + "name": "testDevice", + "profile": "Cisco", + "profile_id": "b0699505-3150-4215-a80e-6753d45bf56c", + "profile_name": "Cisco" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "session": { + "timeout": 30 + }, + "step": [ + "11001", + "11017", + "11036", + "5405" + ] + } + }, + "client": { + "ip": "81.2.69.193", + "port": 42946 + }, + "destination": { + "ip": "81.2.69.145", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 09:09:13 cisco-ise-host CISE_Failed_Attempts 0000075134 1 0 2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75201, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.193", + "81.2.69.145" + ], + "user": [ + "testDevice1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "testDevice1" + ] + } + }, + { + "@timestamp": "2022-03-02T10:36:16.136Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/80" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1381 + }, + "cpm": { + "session": { + "id": "0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc" + } + }, + "device": { + "type": "Device Type#All Device Types" + }, + "dtls_support": "Unknown", + "eap": { + "tunnel": "PEAP" + }, + "endpoint": { + "mac": { + "address": "00-00-00-00-00-01" + } + }, + "failure": { + "reason": "12309 PEAP handshake failed" + }, + "ipsec": "IPSEC#Is IPSEC Device#No", + "ise": { + "policy": { + "set_name": "Default" + } + }, + "location": "Location#All Locations", + "log_details": "ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No", + "message": { + "code": "5411", + "description": "Failed-Attempt: Supplicant stopped responding to ISE", + "id": "0000075876" + }, + "model": { + "name": "Unknown" + }, + "nas": { + "ip": "81.2.69.193", + "port": { + "id": "G0/25", + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "IPSEC#Is IPSEC Device#No", + "Location#All Locations", + "Device Type#All Device Types" + ], + "name": "testDevice", + "profile": "Cisco" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\"", + "stack": " 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "radius_packet": { + "type": "Drop" + }, + "request": { + "latency": 13 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "step": [ + "11001", + "11017", + "11117", + "15049", + "15008", + "11507", + "12500", + "11006", + "11001", + "11018", + "12301", + "12300", + "11006", + "11001", + "11018", + "12302", + "12318", + "12800", + "12805", + "12814", + "12817", + "12309", + "12307", + "12305", + "11006", + "5411" + ], + "step_latency": "25=120001" + } + }, + "client": { + "ip": "81.2.69.193" + }, + "destination": { + "ip": "81.2.69.145" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 10:36:16 cisco-ise-host CISE_Failed_Attempts 0000075876 1 0 2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75943, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.193", + "81.2.69.145" + ], + "user": [ + "testnac1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "testnac1" + ] + } + }, + { + "@timestamp": "2022-03-02T11:10:16.634Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1397 + }, + "failure": { + "reason": "22056 Subject not found in the applicable identity store(s)" + }, + "log_details": "ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418", + "message": { + "code": "5418", + "description": "Guest: Guest Authentication Failed", + "id": "0000076158" + }, + "portal": { + "name": "test-portal" + }, + "response": { + "time": 18 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": "5418", + "user": { + "type": "NON_GUEST" + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "guest", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076158 1 0 2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418,", + "sequence": 76224, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.112" + ], + "user": [ + "INVALID" + ] + }, + "source": { + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "INVALID" + ] + } + }, + { + "@timestamp": "2022-03-02T09:56:00.597Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/64" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1373 + }, + "device": { + "type": "Device Type#All Device Types" + }, + "dtls_support": "Unknown", + "failure": { + "reason": "11007 Could not locate Network Device or AAA Client" + }, + "ipsec": "IPSEC#Is IPSEC Device#No", + "location": "Location#All Locations", + "log_details": "ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No", + "message": { + "code": "5435", + "description": "RADIUS: NAS conducted several failed authentications of the same scenario", + "id": "0000075523" + }, + "model": { + "name": "Unknown" + }, + "nas": { + "ip": "81.2.69.193", + "port": { + "id": "G0/25", + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "IPSEC#Is IPSEC Device#No", + "Location#All Locations", + "Device Type#All Device Types" + ], + "name": "testDevice", + "profile": "Cisco", + "profile_id": "b0699505-3150-4215-a80e-6753d45bf56c", + "profile_name": "Cisco" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "session": { + "timeout": 30 + }, + "step": [ + "11001", + "11017", + "11007", + "5435" + ], + "total": { + "failed_attempts": 11, + "failed_time": 2806 + } + } + }, + "client": { + "ip": "81.2.69.193", + "port": 47053 + }, + "destination": { + "ip": "81.2.69.145", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 09:56:00 cisco-ise-host CISE_Failed_Attempts 0000075523 1 0 2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75590, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.193", + "81.2.69.145" + ], + "user": [ + "testDevice1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "testDevice1" + ] + } + }, + { + "@timestamp": "2022-03-02T09:04:59.136Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/41" + } + }, + "calling_station": { + "id": "00-23-DF-00-00-01" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1364 + }, + "cpm": { + "session": { + "id": "0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o" + } + }, + "device": { + "type": "Device Type#All Device Types" + }, + "dtls_support": "Unknown", + "eap": { + "tunnel": "PEAP" + }, + "endpoint": { + "mac": { + "address": "00-23-DF-00-00-01" + } + }, + "failure": { + "reason": "12309 PEAP handshake failed" + }, + "ipsec": "IPSEC#Is IPSEC Device#No", + "ise": { + "policy": { + "set_name": "Default" + } + }, + "location": "Location#All Locations", + "log_details": "ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; }", + "message": { + "code": "5440", + "description": "RADIUS: Endpoint abandoned EAP session and started new", + "id": "0000000581" + }, + "model": { + "name": "Unknown" + }, + "nas": { + "ip": "81.2.69.193", + "port": { + "id": "G0/25", + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "IPSEC#Is IPSEC Device#No", + "Location#All Locations", + "Device Type#All Device Types" + ], + "name": "testDevice", + "profile": "Cisco" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\"", + "stack": " 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "request": { + "latency": 16 + }, + "response": { + "RadiusPacketType": "Drop" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "step": [ + "11001", + "11017", + "11117", + "15049", + "15008", + "11507", + "12500", + "11006", + "11001", + "11018", + "12301", + "12300", + "11006", + "11001", + "11018", + "12302", + "12318", + "12800", + "12805", + "12814", + "12817", + "12309", + "12307", + "12305", + "11006", + "5440" + ], + "step_latency": "25=9051" + } + }, + "client": { + "ip": "81.2.69.193" + }, + "destination": { + "ip": "81.2.69.145" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },", + "sequence": 75131, + "timezone": "+00:00", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.193", + "81.2.69.145" + ], + "user": [ + "testDevice1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "testDevice1" + ] + } + }, + { + "@timestamp": "2020-04-27T11:11:09.260Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "abc12/178657019/44" + } + }, + "ad": { + "domain": { + "name": "lab4.com" + } + }, + "allowed_protocol": { + "matched": { + "rule": "Dot1X" + } + }, + "authentication": { + "identity_store": [ + "AD1" + ], + "method": "x509_PKI" + }, + "called_station": { + "id": "50-3D-E5-C4-05-8F" + }, + "calling_station": { + "id": "F0-DE-F1-94-65-9C" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 93 + }, + "cpm": { + "session": { + "id": "0a222bc0000000d123e111f7" + } + }, + "device": { + "type": "Device Type#All Device Types" + }, + "eap": { + "authentication": "EAP-TLS", + "chaining_result": "User and machine both failed", + "tunnel": "EAP-FAST" + }, + "endpoint": { + "mac": { + "address": "XX-XX-45-XX-XX-XX" + } + }, + "failure": { + "reason": "24492 Machine authentication against Active Directory has failed" + }, + "framed": { + "ip": "81.2.69.193", + "mtu": 1500 + }, + "groups": { + "process_failure": true + }, + "identity": { + "selection": { + "matched": { + "rule": "Default" + } + } + }, + "ise": { + "policy": { + "set_name": "Default" + } + }, + "location": "Location#All Locations#Wired_Lab", + "log_details": "ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types", + "message": { + "code": "5400", + "description": "Failed-Attempt: Authentication failed", + "id": "0000000169" + }, + "nas": { + "ip": "81.2.69.193", + "port": { + "id": "GigabitEthernet1/0/15", + "number": 50115, + "type": "Ethernet" + } + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#Wired_Lab", + "Device Type#All Device Types" + ], + "name": "sw" + } + }, + "radius_packet": { + "type": "AccessRequest" + }, + "request": { + "latency": 1 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "EapChainining" + }, + "authentication": { + "identity_stores": "SCRAVEN" + } + }, + "service": { + "type": "Framed" + }, + "state": "37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;", + "step": [ + "11001", + "11017", + "15049", + "15008", + "15048", + "15048", + "15004", + "11507", + "12500", + "12625", + "11006", + "11001", + "11018", + "12101", + "12100", + "12625", + "11006", + "11001", + "11018", + "12102", + "12800", + "12805", + "12806", + "12807", + "12810", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12812", + "12804", + "12801", + "12802", + "12816", + "12149", + "12105", + "11006", + "11001", + "11018", + "12104", + "12209", + "12218", + "12125", + "11521", + "12105", + "11006", + "11001", + "11018", + "12104", + "12212", + "11522", + "11806", + "12105", + "11006", + "11001", + "11018", + "12104", + "12523", + "12522", + "12625", + "12105", + "11006", + "11001", + "11018", + "12104", + "12524", + "12800", + "12805", + "12806", + "12807", + "12809", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12571", + "12571", + "12811", + "12812", + "12813", + "12804", + "12801", + "12802", + "12816", + "12509", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "15041", + "15006", + "24432", + "24412", + "22056", + "22058", + "22061", + "12529", + "11520", + "12117", + "22028", + "12105", + "11006", + "11001", + "11018", + "12104", + "12219", + "12125", + "11521", + "12105", + "11006", + "11001", + "11018", + "12104", + "12212", + "11522", + "11806", + "12105", + "11006", + "11001", + "11018", + "12104", + "12523", + "12522", + "12625", + "12105", + "11006", + "11001", + "11018", + "12104", + "12524", + "12800", + "12805", + "12806", + "12807", + "12809", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "12571", + "12571", + "12811", + "12812", + "12813", + "12804", + "12801", + "12802", + "12816", + "12509", + "12527", + "12105", + "11006", + "11001", + "11018", + "12104", + "12526", + "15041", + "15006", + "24433", + "24492", + "22059", + "22062", + "12117", + "22028", + "12105", + "11006", + "11001", + "11018", + "12104", + "12109", + "11504", + "11003" + ], + "usecase": "Eap Chaining" + } + }, + "client": { + "ip": "81.2.69.193", + "port": 16345 + }, + "destination": { + "ip": "81.2.69.193", + "port": 1645 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eApr 27 11:11:09 gg.hhh.iii.com CISE_Failed_Attempts 0000000169 1 0 2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; }", + "sequence": 3928, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "gg.hhh.iii.com" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; }", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "gg.hhh.iii.com" + ], + "ip": [ + "81.2.69.193" + ], + "user": [ + "fernandGiancarl" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "fernandGiancarl" + ] + } + }, + { + "@timestamp": "2022-03-02T11:10:16.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 1567 + }, + "failure": { + "reason": "20977 Subject not found in the applicable identity store(s)" + }, + "log_details": "ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418", + "message": { + "id": "0000076157" + }, + "portal": { + "name": "test-portal" + }, + "response": { + "time": 19 + }, + "segment": { + "number": 1, + "total": 2 + }, + "step": "5418", + "user": { + "type": "NON_TEST" + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c181\u003eMar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076157 2 1 ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.112" + ], + "user": [ + "TEST_USER" + ] + }, + "source": { + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "TEST_USER" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log new file mode 100644 index 00000000000..6e62c021fb8 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log @@ -0,0 +1,5 @@ +<182>Mar 3 11:20:37 cisco-ise-host CISE_Guest 0000083315 1 0 2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31, +<182>Mar 3 12:01:09 cisco-ise-host CISE_Guest 0000083571 1 0 2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15, +<182>Mar 28 11:46:05 cisco-ise-host CISE_Guest 0000000230 2 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.local, ResponseTime=41, +<182>Mar 28 15:59:33 cisco-ise-host CISE_Guest 0000000384 2 1 PortalName=Hotspot Guest Portal (default), +<182>Mar 28 16:00:31 cisco-ise-host CISE_Guest 0000000386 2 1 PortalName=Hotspot Guest Portal (default), FailureReason=86023 Device Registration Web Authentication AUP Declined, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json new file mode 100644 index 00000000000..18bfbba6cef --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json @@ -0,0 +1,352 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T11:20:37.938Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Guest" + }, + "config_version": { + "id": 1694 + }, + "guest": { + "user": { + "name": "test123" + } + }, + "identity": { + "group": "Any" + }, + "message": { + "code": "86005", + "description": "Guest: Guest user has accepted the Use Policy", + "id": "0000083315" + }, + "portal": { + "name": "Self-Registered Guest Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "response": { + "time": 31 + }, + "segment": { + "number": 0, + "total": 1 + }, + "user": { + "type": "NON_GUEST" + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "guest", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 11:20:37 cisco-ise-host CISE_Guest 0000083315 1 0 2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31,", + "sequence": 83382, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.112" + ], + "user": [ + "test123" + ] + }, + "source": { + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test123" + } + }, + { + "@timestamp": "2022-03-03T12:01:09.743Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Guest" + }, + "config_version": { + "id": 1698 + }, + "identity": { + "group": "Any" + }, + "message": { + "code": "86022", + "description": "Guest: Device Registration Web Authentication AUP Accepted", + "id": "0000083571" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "response": { + "time": 15 + }, + "segment": { + "number": 0, + "total": 1 + }, + "user": { + "type": "NON_GUEST" + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "guest", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 12:01:09 cisco-ise-host CISE_Guest 0000083571 1 0 2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15,", + "sequence": 83638, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "89.160.20.112" + ], + "user": [ + "test1123" + ] + }, + "source": { + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test1123" + } + }, + { + "@timestamp": "2022-03-28T11:46:05.000Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_Guest" + }, + "identity": { + "group": "Any" + }, + "message": { + "id": "0000000230" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "cisco-ise-host.local" + }, + "response": { + "time": 41 + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 28 11:46:05 cisco-ise-host CISE_Guest 0000000230 2 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.local, ResponseTime=41,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.local, ResponseTime=41,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-28T15:59:33.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Guest" + }, + "message": { + "id": "0000000384" + }, + "portal": { + "name": "Hotspot Guest Portal (default)" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 28 15:59:33 cisco-ise-host CISE_Guest 0000000384 2 1 PortalName=Hotspot Guest Portal (default),", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "PortalName=Hotspot Guest Portal (default),", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-28T16:00:31.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Guest" + }, + "failure": { + "reason": "86023 Device Registration Web Authentication AUP Declined" + }, + "message": { + "id": "0000000386" + }, + "portal": { + "name": "Hotspot Guest Portal (default)" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 28 16:00:31 cisco-ise-host CISE_Guest 0000000386 2 1 PortalName=Hotspot Guest Portal (default), FailureReason=86023 Device Registration Web Authentication AUP Declined,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "PortalName=Hotspot Guest Portal (default), FailureReason=86023 Device Registration Web Authentication AUP Declined,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log new file mode 100644 index 00000000000..b52ed05fcac --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log @@ -0,0 +1,17 @@ +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083418 1 0 2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082649 1 0 2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20, +<183>Mar 3 09:22:51 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082604 1 0 2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082616 1 0 2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083419 1 0 2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082623 1 0 2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082625 1 0 2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082622 1 0 2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082626 1 0 2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082624 1 0 2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082627 1 0 2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082621 1 0 2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082618 1 0 2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }, +<183>Mar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082619 1 0 2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083416 1 0 2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }, +<183>Mar 10 09:05:25 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000129360 1 0 2022-03-10 09:05:25.669 +00:00 0000129427 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/103, +<183>Mar 28 11:23:25 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000000132 3 1 SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth2, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json new file mode 100644 index 00000000000..c49605ace33 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json @@ -0,0 +1,1371 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T11:37:34.933Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "authentication": { + "method": "Lookup" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "log_details": "ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }", + "message": { + "code": "24209", + "description": "Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore", + "id": "0000083418" + }, + "original": { + "user": { + "name": "92-09-00-00-00-01" + } + }, + "response": { + "AuthenticationResult": "UnknownUser", + "QueryResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam", + "malware" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083418 1 0 2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83485, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "92-09-00-00-00-01" + } + }, + { + "@timestamp": "2022-03-03T09:24:13.235Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/115" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth20" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20", + "message": { + "code": "24210", + "description": "Local-user-DB: Looking up User in Internal Users IDStore", + "id": "0000082649" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082649 1 0 2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20,", + "sequence": 82716, + "timezone": "+00:00", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test" + } + }, + { + "@timestamp": "2022-03-03T09:22:51.639Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/110" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth18" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "enable": { + "flag": "Enabled" + }, + "log_details": "ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; }", + "message": { + "code": "24212", + "description": "Local-user-DB: Found User in Internal Users IDStore", + "id": "0000082604" + }, + "response": { + "AuthenticationResult": "NotPerformed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:51 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082604 1 0 2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; },", + "sequence": 82671, + "timezone": "+00:00", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "employee1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": [ + "Employee1", + "Cisco1" + ], + "name": "employee1" + } + }, + { + "@timestamp": "2022-03-03T09:22:59.336Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth19" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }", + "message": { + "code": "24216", + "description": "Local-user-DB: The user is not found in the internal users identity store", + "id": "0000082616" + }, + "response": { + "AuthenticationResult": "UnknownUser", + "LdapOperationStatus": "SubjectNotFound" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082616 1 0 2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "sequence": 82683, + "timezone": "+00:00", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-03T11:37:34.936Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "authentication": { + "method": "Lookup" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "log_details": "ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }", + "message": { + "code": "24217", + "description": "Local-user-DB: The host is not found in the internal endpoints identity store", + "id": "0000083419" + }, + "original": { + "user": { + "name": "92-09-00-00-00-01" + } + }, + "response": { + "AuthenticationResult": "UnknownUser", + "QueryResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam", + "host" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083419 1 0 2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83486, + "timezone": "+00:00", + "type": [ + "info", + "host" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "92-09-00-00-00-01" + } + }, + { + "@timestamp": "2022-03-03T09:22:59.359Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/33" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/33", + "message": { + "code": "24313", + "description": "External-Active-Directory: Search for matching accounts at join point", + "id": "0000082623" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082623 1 0 2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33,", + "sequence": 82690, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:22:59.359Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/35" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/35", + "message": { + "code": "24322", + "description": "External-Active-Directory: Identity resolution detected no matching account", + "id": "0000082625" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082625 1 0 2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35,", + "sequence": 82692, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:22:59.359Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/32" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/32", + "message": { + "code": "24325", + "description": "External-Active-Directory: Resolving identity", + "id": "0000082622" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082622 1 0 2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32,", + "sequence": 82689, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:22:59.359Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/36" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/36", + "message": { + "code": "24352", + "description": "External-Active-Directory: Identity resolution failed", + "id": "0000082626" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082626 1 0 2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36,", + "sequence": 82693, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:22:59.359Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/34" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/34", + "message": { + "code": "24366", + "description": "External-Active-Directory: Skipping unjoined domain", + "id": "0000082624" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082624 1 0 2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34,", + "sequence": 82691, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:22:59.360Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }", + "message": { + "code": "24412", + "description": "External-Active-Directory: User not found in Active Directory", + "id": "0000082627" + }, + "response": { + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082627 1 0 2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82694, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-03T09:22:59.357Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth19" + } + }, + "currentid": { + "store_name": "All_AD_Join_Points" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; }", + "message": { + "code": "24430", + "description": "External-Active-Directory: Authenticating user against Active Directory", + "id": "0000082621" + }, + "response": { + "AuthenticationResult": "Failed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082621 1 0 2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; },", + "sequence": 82688, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-03T09:22:59.337Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth19" + } + }, + "currentid": { + "store_name": "Guest Users" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; }", + "message": { + "code": "24631", + "description": "Local-user-DB: Looking up User in Internal Guests IDStore", + "id": "0000082618" + }, + "response": { + "AuthenticationResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082618 1 0 2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82685, + "timezone": "+00:00", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-03T09:22:59.356Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/112" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth19" + } + }, + "currentid": { + "store_name": "Guest Users" + }, + "log_details": "ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; }", + "message": { + "code": "24633", + "description": "Local-user-DB: The user is not found in the internal guests identity store", + "id": "0000082619" + }, + "response": { + "AuthenticationResult": "UnknownUser", + "LdapOperationStatus": "SubjectNotFound" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "local-user-db", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082619 1 0 2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "sequence": 82686, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-03T11:37:34.931Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "authentication": { + "method": "Lookup" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "log_details": "ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; }", + "message": { + "code": "24715", + "description": "External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory", + "id": "0000083416" + }, + "original": { + "user": { + "name": "92-09-00-00-00-01" + } + }, + "response": { + "AuthenticationResult": "UnknownUser", + "QueryResult": "UnknownUser" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083416 1 0 2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83483, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "92-09-00-00-00-01" + } + }, + { + "@timestamp": "2022-03-10T09:05:25.669Z", + "cisco_ise": { + "log": { + "ad": { + "log_id": "1645524126/103" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "log_details": "AD-Log-Id=1645524126/103", + "message": { + "code": "24352", + "description": "External-Active-Directory: Identity resolution failed", + "id": "0000129360" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "external-active-directory", + "category": [ + "iam", + "authentication" + ], + "kind": "event", + "original": "\u003c183\u003eMar 10 09:05:25 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000129360 1 0 2022-03-10 09:05:25.669 +00:00 0000129427 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/103, ", + "sequence": 129427, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-10 09:05:25.669 +00:00 0000129427 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/103,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-28T11:23:25.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/437837646/2" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Identity_Stores_Diagnostics" + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth2" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "log_details": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth2", + "message": { + "id": "0000000132" + }, + "segment": { + "number": 1, + "total": 3 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c183\u003eMar 28 11:23:25 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000000132 3 1 SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth2," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 183 + } + }, + "message": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth2,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log new file mode 100644 index 00000000000..fb62948ea1f --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log @@ -0,0 +1,6 @@ +<180>Feb 23 06:11:12 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000890 1 0 2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP, +<179>Mar 3 09:19:04 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000082575 1 0 2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628, +<180>Mar 3 09:24:09 isehost CISE_Internal_Operations_Diagnostics 0000040852 1 0 2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA, +<180>Mar 3 09:24:39 isehost CISE_Internal_Operations_Diagnostics 0000040857 1 0 2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA, +<183>Mar 3 00:00:00 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000079939 1 0 2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR, +<180>Mar 28 10:51:49 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000083 2 1 LoggerName=Test_TCP, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json new file mode 100644 index 00000000000..b2c56effc8b --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json @@ -0,0 +1,370 @@ +{ + "expected": [ + { + "@timestamp": "2022-02-23T06:11:12.793Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "config_version": { + "id": 240 + }, + "logger": { + "name": "Test_TCP" + }, + "message": { + "code": "34126", + "description": "System-Management: Remote syslog target is unavailable", + "id": "0000000890" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "destination": { + "port": 9025 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c180\u003eFeb 23 06:11:12 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000890 1 0 2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP,", + "sequence": 945, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:19:04.559Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "message": { + "code": "34120", + "description": "Profiler: Profiler failed to get the connection to NAC Manager", + "id": "0000082575" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "profiler", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c179\u003eMar 3 09:19:04 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000082575 1 0 2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628,", + "sequence": 82642, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:24:09.011Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "config_version": { + "id": 795 + }, + "logger": { + "name": "TCP Collector QA" + }, + "message": { + "code": "34126", + "description": "System-Management: Remote syslog target is unavailable", + "id": "0000040852" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "destination": { + "port": 9005 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 09:24:09 isehost CISE_Internal_Operations_Diagnostics 0000040852 1 0 2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "sequence": 40898, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:24:39.014Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "config_version": { + "id": 795 + }, + "logger": { + "name": "TCP Collector QA" + }, + "message": { + "code": "34127", + "description": "System-Management: Remote syslog target connection resume", + "id": "0000040857" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "destination": { + "port": 9005 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "system-management", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 09:24:39 isehost CISE_Internal_Operations_Diagnostics 0000040857 1 0 2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "sequence": 40903, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T00:00:00.480Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "config_version": { + "id": 1543 + }, + "error": { + "message": "LOG_OK_NO_ERROR" + }, + "file": { + "name": "/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478" + }, + "message": { + "code": "32025", + "description": "Logging: Rolled over local storage file", + "id": "0000079939" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logging", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 00:00:00 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000079939 1 0 2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR,", + "sequence": 80006, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-28T10:51:49.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Internal_Operations_Diagnostics" + }, + "logger": { + "name": "Test_TCP" + }, + "message": { + "id": "0000000083" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c180\u003eMar 28 10:51:49 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000083 2 1 LoggerName=Test_TCP,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 180 + } + }, + "message": "LoggerName=Test_TCP,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log new file mode 100644 index 00000000000..1faf1b85579 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log @@ -0,0 +1,4 @@ +<182>Mar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35, +<182>Mar 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35 +<179>Mar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate, +<182>Mar 28 11:46:57 cisco-ise-host CISE_MyDevices 0000000231 4 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json new file mode 100644 index 00000000000..b2bac19eec9 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json @@ -0,0 +1,338 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T09:24:53.393Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1629 + }, + "device": { + "name": "test", + "registration_status": "NotRegistered" + }, + "endpoint": { + "policy": "Xerox-Device", + "profiler": "ise.host.local" + }, + "ep": { + "identity_group": "Unknown", + "mac": { + "address": "00:00:00:00:00:00" + } + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "message": { + "code": "88004", + "description": "MyDevices: Successfully deleted the device (endpoint)", + "id": "0000082658" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "response": { + "time": 35 + }, + "segment": { + "number": 0, + "total": 1 + }, + "static": { + "assignment": false + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", + "sequence": 82725, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "test" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test" + } + }, + { + "@timestamp": "2022-03-03T09:24:40.424Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1628 + }, + "device": { + "name": "test2", + "registration_status": "Pending" + }, + "endpoint": { + "policy": "Unknown", + "profiler": "ise.host.local" + }, + "ep": { + "identity_group": "RegisteredDevices", + "mac": { + "address": "00:00:00:00:00:01" + } + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "message": { + "code": "88010", + "description": "MyDevices: Successfully registered/provisioned the device (endpoint)", + "id": "0000082656" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "segment": { + "number": 0, + "total": 1 + }, + "static": { + "assignment": true + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", + "sequence": 82723, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "test" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test" + } + }, + { + "@timestamp": "2022-03-03T09:24:53.482Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1629 + }, + "endpoint": { + "coa": "Terminate" + }, + "ep": { + "mac": { + "address": "00:00:00:00:00:00" + } + }, + "message": { + "code": "88013", + "description": "MyDevices: Failed to perform a CoA termination", + "id": "0000082659" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c179\u003eMar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", + "sequence": 82726, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-28T11:46:57.000Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "ep": { + "mac": { + "address": "12:34:52:24:24:32" + } + }, + "identity": { + "group": "Any" + }, + "message": { + "id": "0000000231" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "cisco-ise-host.host.local" + }, + "segment": { + "number": 1, + "total": 4 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 28 11:46:57 cisco-ise-host CISE_MyDevices 0000000231 4 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log new file mode 100644 index 00000000000..5e9d7123e7a --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log @@ -0,0 +1,5 @@ +<181>Mar 3 11:37:34 cisco-ise-host CISE_Passed_Authentications 0000083423 1 0 2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M&portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7&action=cwa&type=drw&token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; }, +<181>Mar 2 13:27:48 cisco-ise-host CISE_Passed_Authentications 0000077038 1 0 2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231, +<181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; }, +<181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239, +<181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082547 3 1 ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json new file mode 100644 index 00000000000..74f833bf024 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -0,0 +1,639 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T11:37:34.978Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "airespace": { + "wlan": { + "id": 3 + } + }, + "allow": { + "easy": { + "wired": { + "session": "false" + } + } + }, + "auth": { + "policy": { + "matched": { + "rule": "Hotspot" + } + } + }, + "authentication": { + "method": "Lookup", + "status": "UnknownUser" + }, + "calling_station": { + "id": "92:09:00:00:00:01" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "client": { + "latency": 0 + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "device": { + "type": "Device Type#All Device Types" + }, + "dtls_support": "Unknown", + "endpoint": { + "mac": { + "address": "92-09-00-00-00-01" + } + }, + "identity": { + "policy": { + "matched": { + "rule": "MAB" + } + }, + "selection": { + "matched": { + "rule": "MAB" + } + } + }, + "ipsec": "IPSEC#Is IPSEC Device#No", + "is_third_party_device_flow": false, + "ise": { + "policy": { + "set_name": "Default" + } + }, + "location": "Location#All Locations", + "log_details": "ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; }", + "message": { + "code": "5200", + "description": "Passed-Authentication: Authentication succeeded", + "id": "0000083423" + }, + "misconfigured": { + "client": { + "fix": { + "reason": "Passed" + } + } + }, + "model": { + "name": "Unknown" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "id": "gigabitEthernet1/0/1", + "number": 86, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "IPSEC#Is IPSEC Device#No", + "Location#All Locations", + "Device Type#All Device Types" + ], + "name": "Simulator", + "profile": "Cisco", + "profile_id": "b0699505-3150-4215-a80e-6753d45bf56c", + "profile_name": "Cisco" + } + }, + "posture": { + "assessment": { + "status": "Pending" + } + }, + "radius": { + "flow": { + "type": "WirelessMAB" + } + }, + "request": { + "latency": 90 + }, + "response": { + "Class": "CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126", + "LicenseTypes": "1", + "cisco-av-pair": [ + "url-redirect-acl=REDIRECT", + "url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e" + ] + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + }, + "authentication": { + "identity_stores": "Internal Endpoints" + }, + "authorization": { + "profiles": "hotspot" + } + }, + "service": { + "type": "Call Check" + }, + "step": [ + "11001", + "11017", + "11117", + "11027", + "15049", + "15008", + "15041", + "15048", + "15013", + "24209", + "24217", + "22056", + "22058", + "22060", + "24715", + "15036", + "24209", + "24217", + "15016", + "11002", + "5239" + ], + "step_data": [ + "7= Normalised Radius.RadiusFlowType", + "8=Internal Endpoints" + ], + "total": { + "authen": { + "latency": 90 + } + }, + "usecase": "Host Lookup" + } + }, + "client": { + "ip": "81.2.69.143" + }, + "destination": { + "ip": "81.2.69.193", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 11:37:34 cisco-ise-host CISE_Passed_Authentications 0000083423 1 0 2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; },", + "sequence": 83490, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.193" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-02T13:27:48.625Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users", + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 1459 + }, + "guest": { + "user": { + "name": "test" + } + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "log_details": "ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231", + "message": { + "code": "5231", + "description": "Guest: Guest Authentication Passed", + "id": "0000077038" + }, + "portal": { + "name": "Self-Registered Guest Portal (default)" + }, + "psn": { + "hostname": "cisco-ise-host.local" + }, + "response": { + "time": 21 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": "5231", + "user": { + "type": "NON_GUEST" + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "guest", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 2 13:27:48 cisco-ise-host CISE_Passed_Authentications 0000077038 1 0 2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231,", + "sequence": 77104, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.145" + ], + "user": [ + "test" + ] + }, + "source": { + "ip": "81.2.69.145" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "test" + ] + } + }, + { + "@timestamp": "2021-02-23T21:44:54.276Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "ise/403491114/1" + } + }, + "auth": { + "policy": { + "matched": { + "rule": "Default" + } + } + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 9 + }, + "cpm": { + "session": { + "id": "c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg" + } + }, + "device": { + "type": "Device Type#All Device Types#Security Devices#VPN" + }, + "dtls_support": "Unknown", + "is_third_party_device_flow": false, + "ise": { + "policy": { + "set_name": "NetworkDeviceAuthorization" + } + }, + "location": "Location#All Locations#dCloud", + "log_details": "ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; }", + "message": { + "code": "5233", + "description": "Passed-Authentication: TrustSec Data Download Succeeded", + "id": "0000000028" + }, + "nas": { + "ip": "81.2.69.144", + "port": { + "number": 2, + "type": "Virtual" + } + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#dCloud", + "Device Type#All Device Types#Security Devices#VPN" + ], + "name": "ASAv-vpn", + "profile": "Cisco", + "profile_id": "8ade1f15-aef1-4a9a-8158-d02e835179db", + "profile_name": "Cisco" + } + }, + "request": { + "latency": 281 + }, + "response": { + "Class": "CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1", + "cisco-av-pair": [ + "cts:server-list=CTSServerList1-0001", + "cts:security-group-tag=0002-11", + "cts:environment-data-expiry=86400", + "cts:security-group-table=0001-46" + ] + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "NDAC_SGT_Service" + } + }, + "step": [ + "11001", + "11017", + "11117", + "15012", + "15036", + "15006", + "11002" + ] + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.144", + "port": 1645 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eFeb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },", + "sequence": 1707, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "#CTSREQUEST#" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "#CTSREQUEST#" + ] + } + }, + { + "@timestamp": "2022-03-03T09:11:58.729Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 1626 + }, + "log_details": "ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239", + "message": { + "code": "5239", + "description": "RADIUS: NAS problem was fixed", + "id": "0000082517" + }, + "misconfigured": { + "client": { + "fix": { + "reason": "Silent" + } + } + }, + "nas": { + "ip": "81.2.69.145" + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": "5239" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239,", + "sequence": 82584, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.145" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T09:11:58.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 1626 + }, + "log_details": "ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234", + "message": { + "id": "0000082547" + }, + "misconfigured": { + "client": { + "fix": { + "reason": "Silent" + } + } + }, + "nas": { + "ip": "81.2.69.144" + }, + "segment": { + "number": 1, + "total": 3 + }, + "step": "5234" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c181\u003eMar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082547 3 1 ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log new file mode 100644 index 00000000000..09467144283 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log @@ -0,0 +1,8 @@ +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083407 1 0 2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082648 1 0 2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083420 1 0 2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083417 1 0 2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, +<183>Mar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082646 1 0 2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083409 1 0 2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, +<183>Mar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083406 1 0 2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<183>Mar 28 11:23:25 cisco-ise-host CISE_Policy_Diagnostics 0000000129 2 1 SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=cisco-ise-host/437837646/2, CPMSessionID=cisco-ise-host:userauth2, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json new file mode 100644 index 00000000000..5dc2a922e35 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json @@ -0,0 +1,778 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T11:37:34.891Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "message": { + "code": "15008", + "description": "Policy: Evaluating Service Selection Policy", + "id": "0000083407" + }, + "policy": { + "type": "ServiceSelectionPolicy" + }, + "request": { + "received_time": "2022-03-03T11:37:34.000Z" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083407 1 0 2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83474, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-03T09:24:13.235Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/115" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth20" + } + }, + "currentid": { + "store_name": "Internal Users" + }, + "message": { + "code": "15013", + "description": "Policy: Selected Identity Source", + "id": "0000082648" + }, + "policy": { + "type": "IdentityPolicy" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082648 1 0 2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20,", + "sequence": 82715, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "test" + ] + } + }, + { + "@timestamp": "2022-03-03T11:37:34.958Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "auth": { + "policy": { + "matched": { + "rule": "Hotspot" + } + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "identity": { + "policy": { + "matched": { + "rule": "MAB" + } + }, + "selection": { + "matched": { + "rule": "MAB" + } + } + }, + "ise": { + "policy": { + "set_name": "Default" + } + }, + "message": { + "code": "15016", + "description": "Policy: Selected Authorization Profile", + "id": "0000083420" + }, + "policy": { + "type": "RadiusAuthorizationPolicy" + }, + "request": { + "received_time": "2022-03-03T11:37:34.000Z" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + }, + "authorization": { + "profiles": "hotspot" + } + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083420 1 0 2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "sequence": 83487, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-03T11:37:34.932Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "identity": { + "policy": { + "matched": { + "rule": "MAB" + } + }, + "selection": { + "matched": { + "rule": "MAB" + } + } + }, + "ise": { + "policy": { + "set_name": "Default" + } + }, + "message": { + "code": "15036", + "description": "Policy: Evaluating Authorization Policy", + "id": "0000083417" + }, + "policy": { + "type": "RadiusAuthorizationPolicy" + }, + "request": { + "received_time": "2022-03-03T11:37:34.000Z" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083417 1 0 2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "sequence": 83484, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-03T09:24:13.233Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/115" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1628 + }, + "cpm": { + "session": { + "id": "isehost:userauth20" + } + }, + "message": { + "code": "15041", + "description": "Policy: Evaluating Identity Policy", + "id": "0000082646" + }, + "policy": { + "type": "IdentityPolicy" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082646 1 0 2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20,", + "sequence": 82713, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "test" + ] + } + }, + { + "@timestamp": "2022-03-03T11:37:34.900Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "ise": { + "policy": { + "set_name": "Default" + } + }, + "message": { + "code": "15048", + "description": "Policy: Queried PIP", + "id": "0000083409" + }, + "policy": { + "type": "IdentityPolicy" + }, + "request": { + "received_time": "2022-03-03T11:37:34.000Z" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083409 1 0 2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default,", + "sequence": 83476, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-03T11:37:34.890Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "isehost/435083133/126" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "message": { + "code": "15049", + "description": "Policy: Evaluating Policy Group", + "id": "0000083406" + }, + "policy": { + "type": "ServiceSelectionPolicy" + }, + "request": { + "received_time": "2022-03-03T11:37:34.000Z" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "policy", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083406 1 0 2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83473, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "92-09-00-00-00-01" + ] + } + }, + { + "@timestamp": "2022-03-28T11:23:25.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/437837646/2" + } + }, + "category": { + "name": "CISE_Policy_Diagnostics" + }, + "cpm": { + "session": { + "id": "cisco-ise-host:userauth2" + } + }, + "message": { + "id": "0000000129" + }, + "policy": { + "type": "IdentityPolicy" + }, + "segment": { + "number": 1, + "total": 2 + }, + "selected": { + "access": { + "service": "AuthenticateUserAPI" + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 28 11:23:25 cisco-ise-host CISE_Policy_Diagnostics 0000000129 2 1 SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=cisco-ise-host/437837646/2, CPMSessionID=cisco-ise-host:userauth2,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 183 + } + }, + "message": "SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=cisco-ise-host/437837646/2, CPMSessionID=cisco-ise-host:userauth2,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log new file mode 100644 index 00000000000..85d429c1be7 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log @@ -0,0 +1,2 @@ +<181>Feb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000959 1 0 2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.145, OperationStatus=RUNNING, AdminName=abc@abc.com.com, +<181>Feb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000789 2 1 ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.144, OperationStatus=RUNNING, AdminName=xyz@xyz.com.com, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json new file mode 100644 index 00000000000..9c067dc0e43 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json @@ -0,0 +1,139 @@ +{ + "expected": [ + { + "@timestamp": "2021-02-26T22:15:22.379Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Posture_and_Client_Provisioning_Audit" + }, + "config_version": { + "id": 88 + }, + "message": { + "code": "87751", + "description": "EPS: Endpoint Protection Service has obtained the result of an operation", + "id": "0000000959" + }, + "operation": { + "id": "ise.securitydemo.net:1", + "status": "RUNNING", + "type": "CLEAR_POLICY_BY_IP:81.2.69.145" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "user": { + "name": "abc@abc.com.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eps", + "category": [ + "malware" + ], + "kind": "event", + "original": "\u003c181\u003eFeb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000959 1 0 2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.145, OperationStatus=RUNNING, AdminName=abc@abc.com.com,", + "sequence": 4348, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.145, OperationStatus=RUNNING, AdminName=abc@abc.com.com,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "abc@abc.com.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-26T22:15:22.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Posture_and_Client_Provisioning_Audit" + }, + "config_version": { + "id": 88 + }, + "message": { + "id": "0000000789" + }, + "operation": { + "id": "ise.securitydemo.net:1", + "status": "RUNNING", + "type": "CLEAR_POLICY_BY_IP:81.2.69.144" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "client": { + "user": { + "name": "xyz@xyz.com.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "malware" + ], + "kind": "event", + "original": "\u003c181\u003eFeb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000789 2 1 ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.144, OperationStatus=RUNNING, AdminName=xyz@xyz.com.com,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.144, OperationStatus=RUNNING, AdminName=xyz@xyz.com.com,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "user": [ + "xyz@xyz.com.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log new file mode 100644 index 00000000000..228b82d7bcd --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log @@ -0,0 +1,3 @@ +<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC +<182>Apr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142722 1 0 2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52= +<182>Apr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142672 2 1 ConfigVersionId=35, Device IP Address=81.2.69.144, RequestLatency=8, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=17, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52= diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json new file mode 100644 index 00000000000..8de554567bd --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json @@ -0,0 +1,391 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-27T11:11:47.028-08:00", + "cisco_ise": { + "log": { + "acct": { + "authentic": "RADIUS", + "session": { + "id": "00000000/d4:ca:6d:14:87:3b/20879" + }, + "status": { + "type": "Start" + } + }, + "acs": { + "session": { + "id": "hijk.xyz.com/176956368/1092777" + } + }, + "airespace": { + "wlan": { + "id": 1 + } + }, + "allowed_protocol": { + "matched": { + "rule": "Default" + } + }, + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "d4-ca-6d-14-87-3b" + }, + "category": { + "name": "CISE_RADIUS_Accounting" + }, + "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "config_version": { + "id": 33 + }, + "cpm": { + "session": { + "id": "0a222bc0000000d123e111f0" + } + }, + "event": { + "timestamp": "2014-01-10T07:59:55.000Z" + }, + "framed": { + "ip": "89.160.20.112" + }, + "location": "Location#All Locations#SJC#WNBU", + "message": { + "code": "3000", + "description": "Radius-Accounting: RADIUS Accounting start request", + "id": "0000070618" + }, + "nas": { + "identifier": "Acme_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#SJC#WNBU", + "Device Type#All Device Types#Wireless#WLC" + ], + "name": "WNBU-WLC1" + } + }, + "request": { + "latency": 6 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "step": [ + "11004", + "11017", + "15049", + "15008", + "15048", + "15048", + "15048", + "15004", + "15006", + "11005" + ], + "tunnel": { + "medium": { + "type": "(tag=0) 802" + }, + "private": { + "group_id": "(tag=0) 70" + }, + "type": "(tag=0) VLAN" + } + } + }, + "client": { + "ip": "81.2.69.145" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius-accounting", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "sequence": 91827141, + "timezone": "-08:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "hijk.xyz.com" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "related": { + "hosts": [ + "hijk.xyz.com" + ], + "ip": [ + "81.2.69.145", + "89.160.20.112" + ], + "user": [ + "nisehorrrrn" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "nisehorrrrn" + } + }, + { + "@timestamp": "2020-04-27T11:18:08.144-08:00", + "cisco_ise": { + "log": { + "acct": { + "authentic": "RADIUS", + "delay_time": 0, + "input": { + "octets": 43000, + "packets": 471 + }, + "output": { + "octets": 140998, + "packets": 262 + }, + "session": { + "id": "0000AAAA/5c:0a:5b:43:3f:79/24927", + "time": 209 + }, + "status": { + "type": "Stop" + }, + "terminate_cause": "User Request" + }, + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "5c-0a-5b-43-3f-79" + }, + "category": { + "name": "CISE_RADIUS_Accounting" + }, + "class": "CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568", + "config_version": { + "id": 33 + }, + "framed": { + "ip": "89.160.20.112" + }, + "message": { + "code": "3001", + "description": "Radius-Accounting: RADIUS Accounting stop request", + "id": "0000142722" + }, + "nas": { + "identifier": "Cisco_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13 + } + }, + "network": { + "device": { + "name": "WNBU-WLC1" + } + }, + "request": { + "latency": 4 + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.145" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius-accounting", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eApr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142722 1 0 2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", + "sequence": 96217580, + "timezone": "-08:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "tuv.w.xyz.com" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", + "related": { + "hosts": [ + "tuv.w.xyz.com" + ], + "ip": [ + "81.2.69.145", + "89.160.20.112" + ], + "user": [ + "businesskent" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "businesskent" + } + }, + { + "@timestamp": "2022-04-27T11:18:08.000Z", + "cisco_ise": { + "log": { + "acct": { + "authentic": "RADIUS", + "delay_time": 0, + "input": { + "octets": 43000, + "packets": 471 + }, + "output": { + "octets": 140998, + "packets": 262 + }, + "session": { + "id": "0000AAAA/5c:0a:5b:43:3f:79/24927", + "time": 209 + }, + "status": { + "type": "Stop" + }, + "terminate_cause": "User Request" + }, + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "5c-0a-5b-43-3f-79" + }, + "category": { + "name": "CISE_RADIUS_Accounting" + }, + "class": "CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568", + "config_version": { + "id": 35 + }, + "framed": { + "ip": "89.160.20.112" + }, + "message": { + "id": "0000142672" + }, + "nas": { + "identifier": "Cisco_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 17 + } + }, + "network": { + "device": { + "name": "WNBU-WLC1" + } + }, + "request": { + "latency": 8 + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "client": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eApr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142672 2 1 ConfigVersionId=35, Device IP Address=81.2.69.144, RequestLatency=8, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=17, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", + "type": [ + "info" + ] + }, + "host": { + "hostname": "tuv.w.xyz.com" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "ConfigVersionId=35, Device IP Address=81.2.69.144, RequestLatency=8, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=17, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", + "related": { + "hosts": [ + "tuv.w.xyz.com" + ], + "ip": [ + "81.2.69.144", + "81.2.69.145", + "89.160.20.112" + ], + "user": [ + "businesskent" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "businesskent" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log new file mode 100644 index 00000000000..23c3728d01d --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log @@ -0,0 +1,27 @@ +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076010 1 0 2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<183>Mar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083421 1 0 2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M&portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7&action=cwa&type=drw&token=65402552fb76ff96c08edaab722f880e; }, +<183>Mar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075815 1 0 2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79, +<183>Mar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075821 1 0 2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076021 1 0 2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; }, +<180>Feb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004585 1 0 2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075998 1 0 2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076011 1 0 2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<183>Mar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083405 1 0 2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, +<180>Mar 3 09:40:42 cisco-ise-host CISE_RADIUS_Diagnostics 0000082784 1 0 2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120, +<180>Mar 3 09:14:59 cisco-ise-host CISE_RADIUS_Diagnostics 0000082552 1 0 2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107, +<183>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075999 1 0 2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076002 1 0 2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Feb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004570 1 0 2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\;36SessionID=cisco-ise-host/405244497/1\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; }, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076008 1 0 2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076007 1 0 2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076012 1 0 2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076020 1 0 2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076019 1 0 2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<180>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076018 1 0 2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076013 1 0 2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076003 1 0 2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076014 1 0 2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:53:10 cisco-ise-host CISE_RADIUS_Diagnostics 0000075982 1 0 2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076016 1 0 2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 1 0 2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, +<182>Mar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 3 1 ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39817, DestinationIPAddress=81.2.69.144, DestinationPort=1892, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=20, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json new file mode 100644 index 00000000000..0bed2cd3834 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json @@ -0,0 +1,3032 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-02T10:54:40.275Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "11001", + "description": "RADIUS: Received RADIUS Access-Request", + "id": "0000076010" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076010 1 0 2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76076, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "testDevice1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "testDevice1" + } + }, + { + "@timestamp": "2022-03-03T11:37:34.978Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "airespace": { + "wlan": { + "id": 3 + } + }, + "calling_station": { + "id": "92:09:00:00:00:01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "log_details": "ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; }", + "message": { + "code": "11002", + "description": "RADIUS: Returned RADIUS Access-Accept", + "id": "0000083421" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 86, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 2, + "response": { + "AuthenticationResult": "UnknownUser", + "Class": "CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126", + "RadiusPacketType": "AccessAccept", + "cisco-av-pair": [ + "url-redirect-acl=REDIRECT", + "url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e" + ] + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "usecase": "Host Lookup" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 35123 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083421 1 0 2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; },", + "sequence": 83488, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "service": { + "type": "Call Check" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "92-09-00-00-00-01" + } + }, + { + "@timestamp": "2022-03-02T10:30:25.393Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/79" + } + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1381 + }, + "log_details": "ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79", + "message": { + "code": "11004", + "description": "RADIUS: Received RADIUS Accounting-Request", + "id": "0000075815" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 47730 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1813 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075815 1 0 2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79,", + "sequence": 75881, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-02T10:30:25.398Z", + "cisco_ise": { + "log": { + "acct": { + "session": { + "id": "00-00-01" + }, + "status": { + "type": "Stop" + } + }, + "acs": { + "session": { + "id": "cisco-ise-host/435083133/79" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1381 + }, + "cpm": { + "session": { + "id": "0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo" + } + }, + "log_details": "ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo", + "message": { + "code": "11005", + "description": "RADIUS: Returned RADIUS Accounting-Response", + "id": "0000075821" + }, + "nas": { + "port": { + "number": 86, + "type": "Ethernet" + } + }, + "radius": { + "packet": { + "type": "AccountingRequest" + } + }, + "radius_identifier": 6, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 47730 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1813 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075821 1 0 2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo,", + "sequence": 75887, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-02T10:54:40.278Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; }", + "message": { + "code": "11006", + "description": "RADIUS: Returned RADIUS Access-Challenge", + "id": "0000076021" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\"", + "stack": " 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "response": { + "RadiusPacketType": "AccessChallenge" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076021 1 0 2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; },", + "sequence": 76087, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2021-03-16T09:29:43.770Z", + "cisco_ise": { + "log": { + "acct": { + "session": { + "id": "11000001" + }, + "status": { + "type": "Stop" + } + }, + "acs": { + "session": { + "id": "cisco-ise-host/405244497/3" + } + }, + "calling_station": { + "id": "89:aa:11:00:00:01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 104 + }, + "log_details": "ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3", + "message": { + "code": "11015", + "description": "RADIUS: An Access-Request MUST contain at least a NAS-IP-Address NAS-IPv6-Address, or a NAS-Identifier; Continue processing", + "id": "0000004585" + }, + "nas": { + "port": { + "number": 86, + "type": "Ethernet" + } + }, + "radius_identifier": 13, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.144", + "port": 53985 + }, + "destination": { + "ip": "81.2.69.144", + "port": 73 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "iam" + ], + "kind": "event", + "original": "\u003c180\u003eFeb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004585 1 0 2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3,", + "sequence": 4680, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-02T10:54:40.194Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83", + "message": { + "code": "11017", + "description": "RADIUS: RADIUS created a new session", + "id": "0000075998" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075998 1 0 2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83,", + "sequence": 76064, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-02T10:54:40.275Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "11018", + "description": "RADIUS: RADIUS is re-using an existing session", + "id": "0000076011" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076011 1 0 2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76077, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "testDevice1" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "testDevice1" + } + }, + { + "@timestamp": "2022-03-03T11:37:34.890Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/126" + } + }, + "airespace": { + "wlan": { + "id": 3 + } + }, + "calling_station": { + "id": "92:09:00:00:00:01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1696 + }, + "cpm": { + "session": { + "id": "0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M" + } + }, + "log_details": "ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M", + "message": { + "code": "11027", + "description": "RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10))", + "id": "0000083405" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 86, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 2, + "segment": { + "number": 0, + "total": 1 + }, + "usecase": "Host Lookup" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 35123 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "network" + ], + "kind": "event", + "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083405 1 0 2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83472, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "92-09-00-00-00-01" + ] + }, + "service": { + "type": "Call Check" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "92-09-00-00-00-01" + } + }, + { + "@timestamp": "2022-03-03T09:40:42.552Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/120" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1655 + }, + "log_details": "ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120", + "message": { + "code": "11036", + "description": "RADIUS: The Message-Authenticator RADIUS attribute is invalid", + "id": "0000082784" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius_identifier": 2, + "segment": { + "number": 0, + "total": 1 + }, + "session": { + "timeout": 30 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 35893 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 09:40:42 cisco-ise-host CISE_RADIUS_Diagnostics 0000082784 1 0 2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120,", + "sequence": 82851, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "testDevice1" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "testDevice1" + } + }, + { + "@timestamp": "2022-03-03T09:14:59.500Z", + "cisco_ise": { + "log": { + "acct": { + "session": { + "id": "00-00-01" + }, + "status": { + "type": "Stop" + } + }, + "acs": { + "session": { + "id": "cisco-ise-host/435083133/107" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1626 + }, + "log_details": "ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107", + "message": { + "code": "11038", + "description": "RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field", + "id": "0000082552" + }, + "nas": { + "port": { + "number": 86, + "type": "Ethernet" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 51906 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1813 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 09:14:59 cisco-ise-host CISE_RADIUS_Diagnostics 0000082552 1 0 2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107,", + "sequence": 82619, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-02T10:54:40.195Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83", + "message": { + "code": "11117", + "description": "RADIUS: Generated a new session ID", + "id": "0000075999" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 2, + "segment": { + "number": 0, + "total": 1 + }, + "session": { + "timeout": 30 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "session" + ], + "kind": "event", + "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075999 1 0 2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83,", + "sequence": 76065, + "timezone": "+00:00", + "type": [ + "info", + "start" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "debug", + "syslog": { + "priority": 183, + "severity": { + "name": "debug" + } + } + }, + "message": "2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.197Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "11507", + "description": "EAP: Extracted EAP-Response/Identity", + "id": "0000076002" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 2, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076002 1 0 2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76068, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2021-03-16T09:29:43.648Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/405244497/1" + } + }, + "calling_station": { + "id": "89-AA-11-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 104 + }, + "cpm": { + "session": { + "id": "0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4" + } + }, + "detailed_info": "Invalid username or password specified Retry is allowed", + "eap": { + "authentication": "EAP-MSCHAPv2", + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; }", + "message": { + "code": "11823", + "description": "EAP: EAP-MSCHAP authentication attempt failed", + "id": "0000004570" + }, + "nas": { + "ip": "81.2.69.144", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 9, + "response": { + "AuthenticationResult": "Failed" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;" + } + }, + "client": { + "ip": "81.2.69.144", + "port": 56430 + }, + "destination": { + "ip": "81.2.69.144", + "port": 72 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eFeb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004570 1 0 2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; },", + "sequence": 4648, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; },", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "employee1" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "employee1" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.265Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12300", + "description": "EAP: Prepared EAP-Request proposing PEAP with challenge", + "id": "0000076008" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 3, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076008 1 0 2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76074, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.264Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12301", + "description": "EAP: Extracted EAP-Response/NAK requesting to use PEAP instead", + "id": "0000076007" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 3, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076007 1 0 2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76073, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.275Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12302", + "description": "EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated", + "id": "0000076012" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076012 1 0 2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76078, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.277Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12305", + "description": "EAP: Prepared EAP-Request with another PEAP challenge", + "id": "0000076020" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\"", + "stack": " 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076020 1 0 2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76086, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.277Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12307", + "description": "EAP: PEAP authentication failed", + "id": "0000076019" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\"", + "stack": " 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076019 1 0 2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76085, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.277Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12309", + "description": "EAP: PEAP handshake failed", + "id": "0000076018" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "openssl": { + "error": { + "message": "SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\"", + "stack": " 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c180\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076018 1 0 2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76084, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.276Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12318", + "description": "EAP: Successfully negotiated PEAP version 0", + "id": "0000076013" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076013 1 0 2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76079, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.198Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12500", + "description": "EAP: Prepared EAP-Request proposing EAP-TLS with challenge", + "id": "0000076003" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 2, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + } + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication", + "network" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076003 1 0 2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76069, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.276Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12800", + "description": "EAP: Extracted first TLS record; TLS handshake started", + "id": "0000076014" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "network" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076014 1 0 2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76080, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:53:10.702Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/82" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4", + "message": { + "code": "12805", + "description": "EAP: Extracted TLS ClientHello message", + "id": "0000075982" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 48443 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "network" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:53:10 cisco-ise-host CISE_RADIUS_Diagnostics 0000075982 1 0 2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4,", + "sequence": 76048, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.276Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12814", + "description": "EAP: Prepared TLS Alert message", + "id": "0000076016" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication", + "network" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076016 1 0 2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76082, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.276Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "cisco-ise-host/435083133/83" + } + }, + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "code": "12817", + "description": "EAP: TLS handshake failed", + "id": "0000076017" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 30 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39818 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1812 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "eap", + "category": [ + "authentication", + "network" + ], + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 1 0 2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76083, + "timezone": "+00:00", + "type": [ + "info", + "end" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + }, + { + "@timestamp": "2022-03-02T10:54:40.000Z", + "cisco_ise": { + "log": { + "calling_station": { + "id": "00-00-00-00-00-01" + }, + "category": { + "name": "CISE_RADIUS_Diagnostics" + }, + "config_version": { + "id": 1383 + }, + "cpm": { + "session": { + "id": "0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc" + } + }, + "eap": { + "tunnel": "PEAP" + }, + "log_details": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39817, DestinationIPAddress=81.2.69.144, DestinationPort=1892, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=20, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc", + "message": { + "id": "0000076017" + }, + "nas": { + "ip": "81.2.69.143", + "port": { + "number": 1, + "type": "Wireless - IEEE 802.11" + } + }, + "radius": { + "packet": { + "type": "AccessRequest" + } + }, + "radius_identifier": 4, + "segment": { + "number": 1, + "total": 3 + }, + "selected": { + "access": { + "service": "Default Network Access" + } + }, + "session": { + "timeout": 20 + }, + "state": "64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;" + } + }, + "client": { + "ip": "81.2.69.143", + "port": 39817 + }, + "destination": { + "ip": "81.2.69.144", + "port": 1892 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 3 1 ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39817, DestinationIPAddress=81.2.69.144, DestinationPort=1892, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=20, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39817, DestinationIPAddress=81.2.69.144, DestinationPort=1892, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=20, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "USERNAME" + ] + }, + "service": { + "type": "Framed" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "USERNAME" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log new file mode 100644 index 00000000000..298f59d119c --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log @@ -0,0 +1,6 @@ +<181>Mar 3 10:10:23 isehost CISE_System_Statistics 0000082933 1 0 2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10, +<181>Mar 3 10:11:58 81.2.69.143 CISE_System_Statistics 0000041100 1 0 2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M&T Session Database=running, PID: 2288787; M&T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled, +<181>Mar 3 10:08:59 isehost CISE_System_Statistics 0000082925 1 0 2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0, +<181>Mar 10 09:11:50 isehost CISE_System_Statistics 0000038759 2 0 2022-03-10 09:11:50.030 +00:00 0000087130 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, +<181>Mar 10 09:11:50 isehost CISE_System_Statistics 0000038759 2 1 AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.72, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11314, ActiveSessionCount=0, +<181>Mar 16 02:34:02 isehost CISE_System_Statistics 0000001282 2 1 DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.62, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11079, ActiveSessionCount=0, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json new file mode 100644 index 00000000000..d01a70cc346 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json @@ -0,0 +1,602 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-03T10:10:23.294Z", + "cisco_ise": { + "log": { + "active_session": { + "count": -10 + }, + "average": { + "radius": { + "request": { + "latency": 0 + } + }, + "tacacs": { + "request": { + "latency": 0 + } + } + }, + "category": { + "name": "CISE_System_Statistics" + }, + "config_version": { + "id": 1659 + }, + "delta": { + "radius": { + "request": { + "count": 0 + } + }, + "tacacs": { + "request": { + "count": 0 + } + } + }, + "log_details": "ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10", + "message": { + "code": "70000", + "description": "System-Stats: ISE Utilization", + "id": "0000082933" + }, + "segment": { + "number": 0, + "total": 1 + }, + "sysstats": { + "cpu": { + "count": 4 + }, + "process_memory_mb": 11987, + "utilization": { + "cpu": 7.32, + "disk": { + "io": 0.03, + "space": [ + "12% /", + "1% /tmp", + "17% /boot", + "19% /opt", + "2% /storedconfig", + "19% /opt/podman/containers/storage/overlay" + ] + }, + "load_avg": 0.65, + "memory": 42.82, + "network": [ + "eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0", + "vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0", + "veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0", + "veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0" + ] + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "category": [ + "host" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 10:10:23 isehost CISE_System_Statistics 0000082933 1 0 2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10,", + "sequence": 82999, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:11:58.749Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_System_Statistics" + }, + "config_version": { + "id": 823 + }, + "log_details": "ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M\u0026T Session Database=running, PID: 2288787; M\u0026T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled", + "message": { + "code": "70001", + "description": "System-Stats: ISE Process Health", + "id": "0000041100" + }, + "segment": { + "number": 0, + "total": 1 + }, + "sysstats": { + "acs": { + "process": { + "health": { + "AD Connector": "running, PID: 27766", + "Application Server": "running, PID: 2290499", + "Certificate Authority Service": "running, PID: 2312538", + "DHCP Server (dhcpd)": "disabled", + "DNS Server (named)": "disabled", + "Database Listener": "running, PID: 10823", + "Database Server": "running, number of processes: 77", + "EST Service": "running, PID: 2326338", + "Hermes (pxGrid Cloud Agent)": "disabled", + "ISE API Gateway Database Service": "running, PID: 2291381", + "ISE API Gateway Service": "running, PID: 2299091", + "ISE Indexing Engine": "running, PID: 2301459", + "ISE Messaging Service": "running, PID: 2322856", + "M\u0026T Log Processor": "running, PID: 2311300", + "M\u0026T Session Database": "running, PID: 2288787", + "PassiveID API Service": "running, PID: 2990809", + "PassiveID Agent Service": "running, PID: 2991433", + "PassiveID Endpoint Service": "running, PID: 2991940", + "PassiveID SPAN Service": "running, PID: 2992442", + "PassiveID Syslog Service": "running, PID: 2990191", + "PassiveID WMI Service": "running, PID: 2989686", + "Profiler Database": "running, PID: 2286839", + "REST Auth Service": "disabled", + "SSE Connector": "disabled", + "SXP Engine Service": "running, PID: 1753095", + "Segmentation Policy Service": "disabled" + } + } + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "category": [ + "process" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 10:11:58 81.2.69.143 CISE_System_Statistics 0000041100 1 0 2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M\u0026T Session Database=running, PID: 2288787; M\u0026T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled,", + "sequence": 41146, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "ip": "81.2.69.143" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M\u0026T Session Database=running, PID: 2288787; M\u0026T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled,", + "related": { + "ip": [ + "81.2.69.143" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:08:59.797Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_System_Statistics" + }, + "config_version": { + "id": 1659 + }, + "log_details": "ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0", + "message": { + "code": "70011", + "description": "System-Stats: ISE Counters", + "id": "0000082925" + }, + "operation_counters": { + "counters": { + "13_Protocol_Runtime_Context": "-10", + "16_AdminWebappN": "0", + "16_AdminWebappT": "0", + "16_AdminWebappU": "0", + "16_BYODN": "0", + "16_BYODT": "0", + "16_BYODU": "0", + "16_CAServiceN": "41", + "16_CAServiceT": "114946", + "16_CAServiceU": "2", + "16_DBListenerN": "0", + "16_DBListenerT": "0", + "16_DBListenerU": "0", + "16_DBServerN": "83", + "16_DBServerT": "911373", + "16_DBServerU": "18", + "16_GuestN": "0", + "16_GuestT": "0", + "16_GuestU": "0", + "16_JVMN": "0", + "16_JVMT": "0", + "16_JVMU": "0", + "16_MessageQueueN": "0", + "16_MessageQueueT": "0", + "16_MessageQueueU": "0", + "16_MisservicesN": "0", + "16_MisservicesT": "0", + "16_MisservicesU": "0", + "16_MnTLogProcessorN": "149", + "16_MnTLogProcessorT": "720447", + "16_MnTLogProcessorU": "14", + "16_MnTSessionDBN": "18", + "16_MnTSessionDBT": "13624", + "16_MnTSessionDBU": "0", + "16_NSFN": "0", + "16_NSFT": "0", + "16_NSFU": "0", + "16_ProfilerDatabaseN": "4", + "16_ProfilerDatabaseT": "83251", + "16_ProfilerDatabaseU": "2", + "16_ProfilerN": "0", + "16_ProfilerT": "0", + "16_ProfilerU": "0", + "16_QuartzN": "0", + "16_QuartzT": "0", + "16_QuartzU": "0", + "16_RMIN": "0", + "16_RMIT": "0", + "16_RMIU": "0", + "16_SyslogN": "0", + "16_SyslogT": "0", + "16_SyslogU": "0", + "16_TCNACCoreN": "0", + "16_TCNACCoreT": "0", + "16_TCNACCoreU": "0", + "16_TCNACMongoDBN": "0", + "16_TCNACMongoDBT": "0", + "16_TCNACMongoDBU": "0", + "16_VADN": "0", + "16_VADT": "0", + "16_VADU": "0", + "16_VAServiceN": "39", + "16_VAServiceT": "531482", + "16_VAServiceU": "10", + "16_iowait": "4", + "17_coaIssued": "0", + "17_eventsReceived": "0", + "17_threatEventsReceived": "0", + "17_vaEventsReceived": "0", + "4_ArpCache_InsertUpdate_Received": "0", + "4_EndpointCache_InsertUpdate_Received": "4", + "4_HostName_Event_Fetch_FromAD": "0", + "4_NMAP_ScanEvent_Query": "0", + "4_Probe_Requests_Dropped": "0", + "4_Probe_Requests_Received": "0", + "4_RadiusPacketsReceived": "27" + } + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "category": [ + "host" + ], + "kind": "event", + "original": "\u003c181\u003eMar 3 10:08:59 isehost CISE_System_Statistics 0000082925 1 0 2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0,", + "sequence": 82992, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-10T09:11:50.030Z", + "cisco_ise": { + "log": { + "average": { + "radius": { + "request": { + "latency": 0 + } + } + }, + "category": { + "name": "CISE_System_Statistics" + }, + "config_version": { + "id": 1596 + }, + "log_details": "ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0", + "message": { + "code": "70000", + "description": "System-Stats: ISE Utilization", + "id": "0000038759" + }, + "segment": { + "number": 0, + "total": 2 + }, + "sysstats": { + "utilization": { + "cpu": 6.59, + "disk": { + "io": 0.03, + "space": [ + "12% /", + "3% /tmp", + "18% /opt", + "17% /boot", + "2% /storedconfig", + "18% /opt/podman/containers/storage/overlay" + ] + }, + "memory": 55.09, + "network": [ + "vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0", + "eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0", + "veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0", + "cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0" + ] + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "category": [ + "host" + ], + "kind": "event", + "original": "\u003c181\u003eMar 10 09:11:50 isehost CISE_System_Statistics 0000038759 2 0 2022-03-10 09:11:50.030 +00:00 0000087130 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0,", + "sequence": 87130, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-10 09:11:50.030 +00:00 0000087130 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-10T09:11:50.000Z", + "cisco_ise": { + "log": { + "active_session": { + "count": 0 + }, + "average": { + "tacacs": { + "request": { + "latency": 0 + } + } + }, + "category": { + "name": "CISE_System_Statistics" + }, + "delta": { + "radius": { + "request": { + "count": 0 + } + }, + "tacacs": { + "request": { + "count": 0 + } + } + }, + "log_details": "AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.72, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11314, ActiveSessionCount=0", + "message": { + "id": "0000038759" + }, + "segment": { + "number": 1, + "total": 2 + }, + "sysstats": { + "cpu": { + "count": 4 + }, + "process_memory_mb": 11314, + "utilization": { + "load_avg": 0.72 + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "kind": "event", + "original": "\u003c181\u003eMar 10 09:11:50 isehost CISE_System_Statistics 0000038759 2 1 AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.72, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11314, ActiveSessionCount=0,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.72, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11314, ActiveSessionCount=0,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-16T02:34:02.000Z", + "cisco_ise": { + "log": { + "active_session": { + "count": 0 + }, + "category": { + "name": "CISE_System_Statistics" + }, + "delta": { + "radius": { + "request": { + "count": 0 + } + }, + "tacacs": { + "request": { + "count": 0 + } + } + }, + "log_details": "DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.62, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11079, ActiveSessionCount=0", + "message": { + "id": "0000001282" + }, + "segment": { + "number": 1, + "total": 2 + }, + "sysstats": { + "cpu": { + "count": 4 + }, + "process_memory_mb": 11079, + "utilization": { + "load_avg": 0.62 + } + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": [ + "system-stats" + ], + "kind": "event", + "original": "\u003c181\u003eMar 16 02:34:02 isehost CISE_System_Statistics 0000001282 2 1 DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.62, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11079, ActiveSessionCount=0,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.62, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11079, ActiveSessionCount=0,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log new file mode 100644 index 00000000000..7fc9c49a99f --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log @@ -0,0 +1,4 @@ +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; } +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; } +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;} +<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 1 ConfigVersionId=1856, Device IP Address=81.2.69.144, RequestLatency=6, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;} diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json new file mode 100644 index 00000000000..9e524208296 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json @@ -0,0 +1,621 @@ +{ + "expected": [ + { + "@timestamp": "2020-02-21T19:13:08.328Z", + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": 2962, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "tacacs-accounting", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxvne" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "psxvne" + } + }, + { + "@timestamp": "2020-02-21T19:13:08.328Z", + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Start" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/954422" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "start_time": "2020-03-26T11:30:45.000Z", + "task_id": 35585, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting647817909" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Switches", + "Device Type#All Device Types#Switches" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": "Location#All Locations#EMEA", + "message": { + "code": "3301", + "description": "Tacacs-Accounting: TACACS+ Accounting START", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Switches", + "IPSEC#Is IPSEC Device" + ], + "name": "LDNBuildSW1", + "profile": "Cisco" + } + }, + "port": "tty2", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "22083", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "tacacs-accounting", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415636, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxlms" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "psxlms" + } + }, + { + "@timestamp": "2020-02-21T19:13:08.328Z", + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/954446" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "disc": { + "cause": 1, + "cause_ext": 9 + }, + "elapsed_time": 127, + "pre_session_time": 0, + "start_time": "2020-03-26T11:30:45.000Z", + "stop_time": "2020-03-26T11:32:52.000Z", + "task_id": 35585, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting2791676098" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Switches", + "Device Type#All Device Types#Switches" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3302", + "description": "Tacacs-Accounting: TACACS+ Accounting STOP", + "id": "0000000001" + }, + "model": { + "name": [ + "Unknown", + "Unknown" + ] + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Switches", + "IPSEC#Is IPSEC Device" + ], + "name": "LDNBuildSW1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty2", + "privilege": { + "level": 1 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": [ + "Unknown", + "Unknown" + ] + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "22084", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "tacacs-accounting", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", + "sequence": 18415932, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AVPair.disc-cause=1, AVPair.disc-cause-ext=9, AVPair.pre-session-time=0, AVPair.elapsed_time=127, AVPair.stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxlms" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "psxlms" + } + }, + { + "@timestamp": "2022-02-21T19:13:08.000Z", + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/954446" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "disc": { + "cause": 1, + "cause_ext": 9 + }, + "elapsed_time": 127, + "pre_session_time": 0, + "start_time": "2020-03-26T11:30:45.000Z", + "stop_time": "2020-03-26T11:32:52.000Z", + "task_id": 35585, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "config_version": { + "id": 1856 + }, + "device": { + "type": "Device Type#All Device Types#Switches" + }, + "ipsec": "IPSEC#Is IPSEC Device", + "location": "Location#All Locations#EMEA", + "message": { + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Switches", + "IPSEC#Is IPSEC Device" + ], + "name": "LDNBuildSW1", + "profile": "Cisco" + } + }, + "port": "tty2", + "privilege": { + "level": 1 + }, + "request": { + "latency": 6 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 1, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "22084", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 1 ConfigVersionId=1856, Device IP Address=81.2.69.144, RequestLatency=6, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "ConfigVersionId=1856, Device IP Address=81.2.69.144, RequestLatency=6, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AVPair.disc-cause=1, AVPair.disc-cause-ext=9, AVPair.pre-session-time=0, AVPair.elapsed_time=127, AVPair.stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxlms" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "psxlms" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log new file mode 100644 index 00000000000..b39726f7a14 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log @@ -0,0 +1,4 @@ +<182>Mar 16 06:41:58 cisco-ise-host CISE_Threat_Centric_NAC 0000001923 1 0 2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, +<179>Mar 16 06:42:55 cisco-ise-host CISE_Threat_Centric_NAC 0000001938 1 0 2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected, +<180>Mar 3 00:02:46 isehost CISE_Threat_Centric_NAC 0000038251 1 0 2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749, +<180>Mar 3 00:02:46 isehost CISE_Threat_Centric_NAC 0000038251 2 1 ConfigVersionId=749, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json new file mode 100644 index 00000000000..6fac46667c1 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json @@ -0,0 +1,241 @@ +{ + "expected": [ + { + "@timestamp": "2021-03-16T06:41:58.957Z", + "cisco_ise": { + "log": { + "adapter_instance": { + "name": "Karnataka", + "uuid": "1cb1a7e3-324a-4258-ab0e-5ce429589987" + }, + "category": { + "name": "CISE_Threat_Centric_NAC" + }, + "config_version": { + "id": 86 + }, + "details": "Adapter Karnataka status/connectivity changed", + "message": { + "code": "91004", + "description": "IRF: Started adapter instance", + "id": "0000001923" + }, + "segment": { + "number": 0, + "total": 1 + }, + "status": "Active" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "irf", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c182\u003eMar 16 06:41:58 cisco-ise-host CISE_Threat_Centric_NAC 0000001923 1 0 2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active,", + "sequence": 1966, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182, + "severity": { + "name": "info" + } + } + }, + "message": "2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-03-16T06:42:55.540Z", + "cisco_ise": { + "log": { + "adapter_instance": { + "name": "Karnataka", + "uuid": "1cb1a7e3-324a-4258-ab0e-5ce429589987" + }, + "category": { + "name": "CISE_Threat_Centric_NAC" + }, + "config_version": { + "id": 86 + }, + "connectivity": "Disconnected", + "details": "Adapter cannot connect to the server. Ensure that the server is reachable", + "message": { + "code": "91018", + "description": "IRF: Adapter connection failed", + "id": "0000001938" + }, + "segment": { + "number": 0, + "total": 1 + }, + "status": "Active" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "irf", + "category": [ + "configuration" + ], + "kind": "event", + "original": "\u003c179\u003eMar 16 06:42:55 cisco-ise-host CISE_Threat_Centric_NAC 0000001938 1 0 2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected,", + "sequence": 1981, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "priority": 179, + "severity": { + "name": "error" + } + } + }, + "message": "2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T00:02:46.341Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Threat_Centric_NAC" + }, + "config_version": { + "id": 749 + }, + "message": { + "code": "91110", + "description": "RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run.", + "id": "0000038251" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "kind": "event", + "original": "\u003c180\u003eMar 3 00:02:46 isehost CISE_Threat_Centric_NAC 0000038251 1 0 2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749,", + "sequence": 38297, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "level": "warn", + "syslog": { + "priority": 180, + "severity": { + "name": "warn" + } + } + }, + "message": "2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T00:02:46.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Threat_Centric_NAC" + }, + "config_version": { + "id": 749 + }, + "message": { + "id": "0000038251" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c180\u003eMar 3 00:02:46 isehost CISE_Threat_Centric_NAC 0000038251 2 1 ConfigVersionId=749,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "isehost" + }, + "log": { + "syslog": { + "priority": 180 + } + }, + "message": "ConfigVersionId=749,", + "related": { + "hosts": [ + "isehost" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..9e4b8df5c6a --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,8 @@ +service: cisco_ise-log-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9025 diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..90d93efebd4 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,8 @@ +service: cisco_ise-log-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9026 diff --git a/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..bc587e50a3a --- /dev/null +++ b/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,18 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..deaa10ff900 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,15 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..f4011d31a01 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,139 @@ +--- +description: Pipeline for Cisco ISE logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" + - trim: + field: message + ignore_failure: true + - convert: + field: host.hostname + target_field: host.ip + type: ip + ignore_failure: true + - remove: + field: host.hostname + if: ctx?.host?.ip != null + - append: + field: related.ip + value: '{{{host.ip}}}' + if: ctx?.host?.ip != null + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx?.host?.hostname != null + ignore_failure: true + - rename: + field: _tmp.timezone + target_field: event.timezone + ignore_missing: true + - date: + field: _tmp.timestamp + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + ignore_failure: true + - date: + if: ctx?.event?.timezone != null + field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - pipeline: + name: '{{ IngestPipeline "pipeline_policy_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Policy_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_guest" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Guest" + - pipeline: + name: '{{ IngestPipeline "pipeline_mydevices" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_MyDevices" + - pipeline: + name: '{{ IngestPipeline "pipeline_internal_operations_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Internal_Operations_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_threat_centric_nac" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Threat_Centric_NAC" + - pipeline: + name: '{{ IngestPipeline "pipeline_posture_and_client_provisioning_audit" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Posture_and_Client_Provisioning_Audit" + - pipeline: + name: '{{ IngestPipeline "pipeline_radius_accounting" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_RADIUS_Accounting" + - pipeline: + name: '{{ IngestPipeline "pipeline_failed_attempts" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Failed_Attempts" + - pipeline: + name: '{{ IngestPipeline "pipeline_passed_authentications" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Passed_Authentications" + - pipeline: + name: '{{ IngestPipeline "pipeline_radius_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_RADIUS_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_ad_connector" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_AD_Connector" + - pipeline: + name: '{{ IngestPipeline "pipeline_authentication_flow_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Authentication_Flow_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_administrative_and_operational_audit" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Administrative_and_Operational_Audit" + - pipeline: + name: '{{ IngestPipeline "pipeline_system_statistics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_System_Statistics" + - pipeline: + name: '{{ IngestPipeline "pipeline_tacacs_accounting" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_TACACS_Accounting" + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_stores_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Identity_Stores_Diagnostics" + - lowercase: + field: log.syslog.severity.name + ignore_failure: true + - set: + field: log.level + copy_from: log.syslog.severity.name + ignore_empty_value: true + - remove: + field: + - _tmp + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml new file mode 100644 index 00000000000..ed7649cf502 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml @@ -0,0 +1,139 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - trim: + field: cisco_ise.log.log_details + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["25012","25013","25015","25016","25017","25018","25033"], "name": "authentication"], + ["messageCodeArray": ["25037","25041","25046","25058"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["25012","25013","25015","25016","25017","25018","25033","25037","25041","25046","25058"], "name": "info"], + ["messageCodeArray": ["25012","25018","51020","51021"], "name": "end"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.category = eventCategory; + ctx.event.type = eventType; + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - gsub: + field: cisco_ise.log.log_details + pattern: \\, + replacement: "" + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: AD-Admin + target_field: cisco_ise.log.ad.admin + ignore_missing: true + - rename: + field: AD-Domain + target_field: cisco_ise.log.ad.domain.name + ignore_missing: true + - rename: + field: AD-Domain-Controller + target_field: cisco_ise.log.ad.domain.controller + ignore_missing: true + - rename: + field: AD-Error-Details + target_field: cisco_ise.log.ad.error.details + ignore_missing: true + - rename: + field: AD-Forest + target_field: cisco_ise.log.ad.forest + ignore_missing: true + - rename: + field: AD-Hostname + target_field: cisco_ise.log.ad.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{cisco_ise.log.ad.hostname}}}' + if: ctx?.cisco_ise?.log?.ad?.hostname != null + allow_duplicates: false + ignore_failure: true + - convert: + field: AD-IP-Address + target_field: cisco_ise.log.ad.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.ad.ip}}}' + if: ctx?.cisco_ise?.log?.ad?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AD-Log-Id + target_field: cisco_ise.log.ad.log_id + ignore_missing: true + - rename: + field: AD-Organization-Unit + target_field: cisco_ise.log.ad.organization_unit + ignore_missing: true + - rename: + field: AD-Site + target_field: cisco_ise.log.ad.site + ignore_missing: true + - rename: + field: AD-Log + target_field: cisco_ise.log.ad.log + ignore_failure: true + - rename: + field: AD-Srv-Query + target_field: cisco_ise.log.ad.srv.query + ignore_failure: true + - rename: + field: AD-Srv-Record + target_field: cisco_ise.log.ad.srv.record + ignore_failure: true + - remove: + field: + - AD-IP-Address + - ConfigVersionId + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml new file mode 100644 index 00000000000..8c8e8086149 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -0,0 +1,340 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "60067" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, OperationMessageText={%{DATA:OperationMessageText}}" + - grok: + field: cisco_ise.log.log_details + if: '["61025", "61026"].contains(ctx?.cisco_ise?.log?.message?.code)' + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, , OperationMessageText=%{DATA:OperationMessageText}, AcsInstance=%{GREEDYDATA:AcsInstance}" + on_failure: + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, FailureFlag=%{DATA:FailureFlag}, RequestResponseType=%{DATA:RequestResponseType}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, AdminName=%{DATA:AdminName}, %{GREEDYDATA:log_detail}" + - grok: + field: log_detail + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, Component=%{DATA:Component}, ObjectInternalID=%{GREEDYDATA:ObjectInternalID}" + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, OperationMessageText=%{GREEDYDATA:OperationMessageText}" + - "ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, Component=%{DATA:Component}, ObjectInternalID=%{GREEDYDATA:ObjectInternalID}" + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{GREEDYDATA:ObjectName}" + - grok: + field: ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "^%{DATA:_tmp.temp}, Log Severity Level = %{DATA:LogSeverityLevel}\\\\,Local Logging = %{DATA:LocalLogging}\\\\,Assigned Targets = {%{DATA:AssignedTargets}}" + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, %{GREEDYDATA:log_detail}" + - grok: + field: log_detail + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "AdminSession=%{DATA:AdminSession}, AdminName=%{DATA:AdminName}, ConfigChangeData=%{GREEDYDATA:ConfigChangeData}" + - "AdminName=%{DATA:AdminName}, ConfigChangeData=%{GREEDYDATA:ConfigChangeData}" + - "AdminName=%{DATA:AdminName}, %{GREEDYDATA:log_description}" + on_failure: + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + - kv: + field: log_description + field_split: ', ' + value_split: = + ignore_failure: true + - grok: + field: ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "^%{DATA:_tmp.temp}, %{GREEDYDATA:_tmp.ConfigChangeData}" + - kv: + field: _tmp.ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52002" + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + if: '!["60067", "61025", "61026", "52001", "52002"].contains(ctx.cisco_ise.log.message.code)' + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "60067" + field: OperationMessageText + field_split: ', ' + value_split: = + ignore_failure: true + - split: + field: AssignedTargets + target_field: cisco_ise.log.assigned_targets + separator: ',' + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60077","60078","60461","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "iam"], + ["messageCodeArray": ["51001","51002","51020","51021","60077","60078","61077", "60077","60188","60116","60080","60115","60081"], "name": "authentication"], + ["messageCodeArray": ["61025","61026","60134"], "name": "network"], + ["messageCodeArray": ["60067","60070","60456","58005"], "name": "process"], + ["messageCodeArray": ["52000","52001","52002"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["51001","51002","51020","51021"], "name": "admin"], + ["messageCodeArray": ["52001"], "name": "change"], + ["messageCodeArray": ["61025", "61026"], "name": "connection"], + ["messageCodeArray": ["52000"], "name": "creation"], + ["messageCodeArray": ["52002"], "name": "deletion"], + ["messageCodeArray": ["61026"], "name": "end"], + ["messageCodeArray": ["60116","60080","60115","60081"], "name": "user"], + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60067","60070","60077","60078","60456","60461","61025","61026","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "info"], + ["messageCodeArray": ["60067","60456","61025"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - rename: + field: AcsInstance + target_field: cisco_ise.log.acs.instance + ignore_missing: true + - rename: + field: AdminInterface + target_field: cisco_ise.log.admin.interface + ignore_missing: true + - rename: + field: AdminIPAddress + target_field: client.ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AdminName + target_field: client.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{client.user.name}}}' + if: ctx?.client?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AdminSession + target_field: cisco_ise.log.admin.session + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: ConfigChangeData + target_field: cisco_ise.log.config_change.data + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Component + target_field: cisco_ise.log.component + ignore_missing: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - convert: + field: FailureFlag + target_field: cisco_ise.log.failure.flag + type: boolean + ignore_failure: true + - rename: + field: LocalLogging + target_field: cisco_ise.log.local_logging + ignore_missing: true + - rename: + field: LogSeverityLevel + target_field: log.syslog.severity.name + if: ctx?.log?.syslog?.severity?.name == null + ignore_missing: true + - rename: + field: LogErrorMessage + target_field: cisco_ise.log.log_error.message + ignore_missing: true + - rename: + field: LoggerName + target_field: log.logger + ignore_missing: true + - rename: + field: MessageCode + target_field: cisco_ise.log.message.code + ignore_missing: true + - rename: + field: FeedServiceFeed + target_field: cisco_ise.log.feed_service.feed.name + ignore_missing: true + - rename: + field: FeedServiceFeedVersion + target_field: cisco_ise.log.feed_service.feed.version + ignore_missing: true + - rename: + field: FeedServiceHost + target_field: cisco_ise.log.feed_service.host + ignore_missing: true + - rename: + field: FeedServicePort + target_field: cisco_ise.log.feed_service.port + ignore_missing: true + - date: + field: FeedServiceQueryToTime + target_field: cisco_ise.log.feed_service.query.to_time + formats: + - ISO8601 + ignore_failure: true + - date: + field: FeedServiceQueryFromTime + target_field: cisco_ise.log.feed_service.query.from_time + formats: + - ISO8601 + ignore_failure: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: IpAddress + target_field: host.ip + ignore_missing: true + - append: + field: related.ip + value: '{{{host.ip}}}' + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: ObjectName + target_field: cisco_ise.log.object.name + ignore_missing: true + - rename: + field: ObjectInternalID + target_field: cisco_ise.log.object.internal.id + ignore_missing: true + - rename: + field: ObjectType + target_field: cisco_ise.log.object.type + ignore_missing: true + - rename: + field: OperationMessageText + target_field: cisco_ise.log.operation_message.text + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - append: + field: related.hosts + value: '{{{PsnHostName}}}' + if: ctx?.PsnHostName != null && ctx?.PsnHostName != '' + allow_duplicates: false + ignore_failure: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: RequestResponseType + target_field: cisco_ise.log.request_response.type + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - AssignedTargets + - ConfigVersionId + - FailureFlag + - FeedServiceQueryFromTime + - FeedServiceQueryToTime + - LogSeverityLevel + - ResponseTime + - log_detail + - log_description + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml new file mode 100644 index 00000000000..9e5648b26f3 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml @@ -0,0 +1,166 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - '%{GREEDYDATA:cisco_ise.log.log_details},' + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(["iam"]); + def categoryReferenceTable = [ + ["messageCodeArray": ["22040","22057","22061","22060","22037"], "name": "authentication"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{DestinationIPAddress}}}" + if: ctx?.DestinationIPAddress != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - convert: + field: WorkflowCurrentIDStoreIndex + target_field: cisco_ise.log.workflow.current_id.store_index + type: long + ignore_failure: true + - rename: + field: WorkflowIfAuthenticationFailed + target_field: cisco_ise.log.workflow.if.authentication_failed + ignore_missing: true + - rename: + field: WorkflowIfProcessError + target_field: cisco_ise.log.workflow.if.process_error + ignore_missing: true + - rename: + field: WorkflowIfUserNotFound + target_field: cisco_ise.log.workflow.if.user_not_found + ignore_missing: true + - rename: + field: WorkflowSequenceType + target_field: cisco_ise.log.workflow.sequence.type + ignore_missing: true + - remove: + field: + - ConfigVersionId + - DestinationIPAddress + - NAS-IP-Address + - OriginalUserName + - Response + - UserName + - WorkflowCurrentIDStoreIndex + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml new file mode 100644 index 00000000000..5700ac03fdd --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml @@ -0,0 +1,424 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["5405","5411","5418","5435","5400","5440"], "name": "authentication"], + ["messageCodeArray": ["5440"], "name": "session"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["5405","5411","5418","5435","5400","5440"], "name": "info"], + ["messageCodeArray": ["5405","5411","5418","5435"], "name": "end"], + ["messageCodeArray": ["5440"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: acme-av-pair.audit-session-id + target_field: cisco_ise.log.acme-av-pair.audit-session-id + ignore_missing: true + - rename: + field: acme-av-pair.service-type + target_field: cisco_ise.log.acme-av-pair.service-type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: ADDomain + target_field: cisco_ise.log.ad.domain.name + ignore_missing: true + - rename: + field: AllowedProtocolMatchedRule + target_field: cisco_ise.log.allowed_protocol.matched.rule + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: Called-Station-ID + target_field: cisco_ise.log.called_station.id + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: DetailedInfo + target_field: cisco_ise.log.detailed_info + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: EAP-Key-Name + target_field: cisco_ise.log.eap_key.name + ignore_missing: true + - rename: + field: EapAuthentication + target_field: cisco_ise.log.eap.authentication + ignore_missing: true + - rename: + field: EapChainingResult + target_field: cisco_ise.log.eap.chaining_result + ignore_missing: true + - rename: + field: EapTunnel + target_field: cisco_ise.log.eap.tunnel + ignore_missing: true + - rename: + field: EndPointMACAddress + target_field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.endpoint.mac.address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - convert: + field: Framed-IP-Address + target_field: cisco_ise.log.framed.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.framed.ip}}}' + if: ctx?.cisco_ise?.log?.framed?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Framed-MTU + target_field: cisco_ise.log.framed.mtu + type: long + ignore_missing: true + - convert: + field: GroupsOrAttributesProcessFailure + target_field: cisco_ise.log.groups.process_failure + type: boolean + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: NAS-Port-Id + target_field: cisco_ise.log.nas.port.id + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: RadiusPacketType + target_field: cisco_ise.log.radius_packet.type + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthenticationIdentityStores + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: Service-Type + target_field: cisco_ise.log.service.type + ignore_missing: true + - rename: + field: State + target_field: cisco_ise.log.state + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Device Port + target_field: client.port + type: long + ignore_missing: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: DTLSSupport + target_field: cisco_ise.log.dtls_support + ignore_missing: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: NetworkDeviceProfileId + target_field: cisco_ise.log.network.device.profile_id + ignore_missing: true + - rename: + field: NetworkDeviceProfileName + target_field: cisco_ise.log.network.device.profile_name + ignore_missing: true + - rename: + field: OpenSSLErrorMessage + target_field: cisco_ise.log.openssl.error.message + ignore_missing: true + - rename: + field: OpenSSLErrorStack + target_field: cisco_ise.log.openssl.error.stack + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - convert: + field: Session-Timeout + target_field: cisco_ise.log.session.timeout + type: long + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: StepLatency + target_field: cisco_ise.log.step_latency + ignore_missing: true + - rename: + field: TLSCipher + target_field: cisco_ise.log.tls.cipher + ignore_missing: true + - rename: + field: TLSVersion + target_field: cisco_ise.log.tls.version + ignore_missing: true + - convert: + field: TotalFailedAttempts + target_field: cisco_ise.log.total.failed_attempts + type: long + ignore_missing: true + - convert: + field: TotalFailedTime + target_field: cisco_ise.log.total.failed_time + type: long + ignore_missing: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: user.name + value: '{{{User-Name}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: '{{{UserName}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{User-Name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - UserName + - User-Name + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - Device Port + - NAS-IP-Address + - NAS-Port + - RequestLatency + - IpAddress + - TotalFailedAttempts + - Session-Timeout + - Response + - ResponseTime + - TotalFailedTime + - Framed-IP-Address + - Framed-MTU + - GroupsOrAttributesProcessFailure + - acme-av-pair + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml new file mode 100644 index 00000000000..c49664a6b77 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml @@ -0,0 +1,112 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_failure: true + - rename: + field: GuestUserName + target_field: cisco_ise.log.guest.user.name + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - append: + field: related.user.name + value: '{{{cisco_ise.log.guest.user.name}}}' + if: ctx?.cisco_ise?.log?.guest?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - IpAddress + - cisco_ise.log.log_details + - ResponseTime + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml new file mode 100644 index 00000000000..e70181f8e2b --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml @@ -0,0 +1,154 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["24209","24210","24212","24216","24217","24313","24322","24325","24352","24366","24412","24430","24631","24633","24715"], "name": "iam"], + ["messageCodeArray": ["24313","24322","24325","24352","24412","24430","24633","24715"], "name": "authentication"], + ["messageCodeArray": ["24217"], "name": "host"], + ["messageCodeArray": ["24209"], "name": "malware"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["24209","24210","24212","24216","24217","24313","24322","24325","24352","24366","24412","24430","24631","24633","24715"], "name": "info"], + ["messageCodeArray": ["24352","24412","24633"], "name": "end"], + ["messageCodeArray": ["24217"], "name": "host"], + ["messageCodeArray": ["24210","24212","24216","24631"], "name": "user"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.category = eventCategory; + ctx.event.type = eventType; + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - trim: + field: cisco_ise.log.log_details + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: EnableFlag + target_field: cisco_ise.log.enable.flag + ignore_missing: true + - rename: + field: AD-Log-Id + target_field: cisco_ise.log.ad.log_id + ignore_missing: true + - append: + field: user.full_name + value: '{{{Firstname}}}' + if: ctx?.Firstname != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.full_name + value: '{{{Lastname}}}' + if: ctx?.Lastname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: OriginalUserName + target_field: cisco_ise.log.original.user.name + ignore_missing: true + - append: + field: user.name + value: '{{{cisco_ise.log.original.user.name}}}' + if: ctx?.cisco_ise?.log?.original?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - remove: + field: + - ConfigVersionId + - OriginalUserName + - Firstname + - Lastname + - Response + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml new file mode 100644 index 00000000000..8f14c3ed789 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml @@ -0,0 +1,81 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["34120"], "name": "authentication"], + ["messageCodeArray": ["32025","34126","34127"], "name": "configuration"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_failure: true + - rename: + field: LoggerName + target_field: cisco_ise.log.logger.name + ignore_missing: true + - rename: + field: LogFileName + target_field: cisco_ise.log.file.name + ignore_missing: true + - rename: + field: LogErrorMessage + target_field: cisco_ise.log.error.message + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - DestinationPort + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml new file mode 100644 index 00000000000..cbbcafd8f90 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml @@ -0,0 +1,136 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: EPMacAddress + target_field: cisco_ise.log.ep.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.ep.mac_address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.ep.mac_address + ignore_missing: true + - rename: + field: EPIdentityGroup + target_field: cisco_ise.log.ep.identity_group + ignore_missing: true + - convert: + field: Staticassignment + target_field: cisco_ise.log.static.assignment + type: boolean + ignore_failure: true + - rename: + field: EndPointProfiler + target_field: cisco_ise.log.endpoint.profiler + ignore_missing: true + - rename: + field: EndPointPolicy + target_field: cisco_ise.log.endpoint.policy + ignore_missing: true + - rename: + field: DeviceName + target_field: cisco_ise.log.device.name + ignore_missing: true + - rename: + field: DeviceRegistrationStatus + target_field: cisco_ise.log.device.registration_status + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_failure: true + - rename: + field: EndpointCoA + target_field: cisco_ise.log.endpoint.coa + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - IpAddress + - cisco_ise.log.log_details + - ResponseTime + - Staticassignment + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml new file mode 100644 index 00000000000..bbfb3b66eb8 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -0,0 +1,394 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["5200","5231","5233","5239"], "name": "authentication"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["5200","5231","5233","5239"], "name": "info"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: allowEasyWiredSession + target_field: cisco_ise.log.allow.easy.wired.session + ignore_missing: true + - rename: + field: AuthorizationPolicyMatchedRule + target_field: cisco_ise.log.auth.policy.matched.rule + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: AuthenticationStatus + target_field: cisco_ise.log.authentication.status + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: cisco-av-pair.coa-push + target_field: cisco_ise.log.cisco_av_pair.coa-push + type: boolean + ignore_missing: true + - rename: + field: cisco-av-pair.cts-device-capability + target_field: cisco_ise.log.cisco-av-pair.cts-device-capability + ignore_missing: true + - rename: + field: cisco-av-pair.cts-environment-data + target_field: cisco_ise.log.cisco-av-pair.cts-environment-data + ignore_missing: true + - convert: + field: cisco-av-pair.cts-environment-version + target_field: cisco_ise.log.cisco-av-pair.cts-environment-version + type: long + ignore_missing: true + - rename: + field: cisco-av-pair.cts-pac-opaque + target_field: cisco_ise.log.cisco-av-pair.cts-pac-opaque + ignore_missing: true + - convert: + field: ClientLatency + target_field: cisco_ise.log.client.latency + type: long + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: DTLSSupport + target_field: cisco_ise.log.dtls_support + ignore_missing: true + - rename: + field: EndPointMACAddress + target_field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.endpoind.mac.address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.endpoind.mac.address + ignore_missing: true + - rename: + field: GuestUserName + target_field: cisco_ise.log.guest.user.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: IdentityPolicyMatchedRule + target_field: cisco_ise.log.identity.policy.matched.rule + ignore_missing: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - convert: + field: IsThirdPartyDeviceFlow + target_field: cisco_ise.log.is_third_party_device_flow + type: boolean + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: MisconfiguredClientFixReason + target_field: cisco_ise.log.misconfigured.client.fix.reason + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: NAS-Port-Id + target_field: cisco_ise.log.nas.port.id + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: NetworkDeviceProfileName + target_field: cisco_ise.log.network.device.profile_name + ignore_missing: true + - rename: + field: NetworkDeviceProfileId + target_field: cisco_ise.log.network.device.profile_id + ignore_missing: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: PostureAssessmentStatus + target_field: cisco_ise.log.posture.assessment.status + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: RadiusFlowType + target_field: cisco_ise.log.radius.flow.type + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthenticationIdentityStores + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: SelectedAuthorizationProfiles + target_field: cisco_ise.log.selected.authorization.profiles + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: Service-Type + target_field: cisco_ise.log.service.type + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: StepData + target_field: cisco_ise.log.step_data + ignore_missing: true + - convert: + field: TotalAuthenLatency + target_field: cisco_ise.log.total.authen.latency + type: long + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: user.name + value: '{{{User-Name}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: '{{{UserName}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{User-Name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - UserName + - User-Name + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - NAS-IP-Address + - NAS-Port + - RequestLatency + - IpAddress + - Airespace-Wlan-Id + - OriginalUserName + - ClientLatency + - Response + - ResponseTime + - TotalAuthenLatency + - IsThirdPartyDeviceFlow + - cisco-av-pair + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml new file mode 100644 index 00000000000..3c16394e986 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml @@ -0,0 +1,143 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - date: + field: RequestReceivedTime + target_field: cisco_ise.log.request.received_time + if: ctx?.RequestReceivedTime != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: PolicyType + target_field: cisco_ise.log.policy.type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthorizationPolicyMatchedRule + target_field: cisco_ise.log.auth.policy.matched.rule + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: IdentityPolicyMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.policy.matched.rule + ignore_missing: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthorizationProfiles + target_field: cisco_ise.log.selected.authorization.profiles + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - OriginalUserName + - UserName + - RequestReceivedTime + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml new file mode 100644 index 00000000000..8e3f28ef059 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml @@ -0,0 +1,72 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: OperationID + target_field: cisco_ise.log.operation.id + ignore_missing: true + - rename: + field: OperationType + target_field: cisco_ise.log.operation.type + ignore_missing: true + - rename: + field: OperationStatus + target_field: cisco_ise.log.operation.status + ignore_missing: true + - rename: + field: AdminName + target_field: client.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{client.user.name}}}' + if: ctx?.client?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml new file mode 100644 index 00000000000..fbbf1874ecd --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml @@ -0,0 +1,249 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_failure: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: User-Name + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_failure: true + - convert: + field: Framed-IP-Address + target_field: cisco_ise.log.framed.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.framed.ip}}}' + if: ctx?.cisco_ise?.log?.framed?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Class + target_field: cisco_ise.log.class + ignore_missing: true + - rename: + field: Called-Station-ID + target_field: cisco_ise.log.called_station.id + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - rename: + field: NAS-Identifier + target_field: cisco_ise.log.nas.identifier + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Authentic + target_field: cisco_ise.log.acct.authentic + ignore_missing: true + - convert: + field: Acct-Session-Time + target_field: cisco_ise.log.acct.session.time + type: long + ignore_failure: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: Event-Timestamp + target_field: cisco_ise.log.event.timestamp + ignore_missing: true + - date: + field: cisco_ise.log.event.timestamp + target_field: cisco_ise.log.event.timestamp + if: ctx?.cisco_ise?.log?.event?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: Tunnel-Type + target_field: cisco_ise.log.tunnel.type + ignore_missing: true + - rename: + field: Tunnel-Medium-Type + target_field: cisco_ise.log.tunnel.medium.type + ignore_missing: true + - rename: + field: Tunnel-Private-Group-ID + target_field: cisco_ise.log.tunnel.private.group_id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: AllowedProtocolMatchedRule + target_field: cisco_ise.log.allowed_protocol.matched.rule + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - convert: + field: Acct-Delay-Time + target_field: cisco_ise.log.acct.delay_time + type: long + ignore_failure: true + - convert: + field: Acct-Input-Octets + target_field: cisco_ise.log.acct.input.octets + type: long + ignore_failure: true + - convert: + field: Acct-Output-Octets + target_field: cisco_ise.log.acct.output.octets + type: long + ignore_failure: true + - convert: + field: Acct-Input-Packets + target_field: cisco_ise.log.acct.input.packets + type: long + ignore_failure: true + - convert: + field: Acct-Output-Packets + target_field: cisco_ise.log.acct.output.packets + type: long + ignore_failure: true + - rename: + field: Acct-Terminate-Cause + target_field: cisco_ise.log.acct.terminate_cause + ignore_missing: true + - rename: + field: undefined-52 + target_field: cisco_ise.log.undefined_52 + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - NAS-IP-Address + - NAS-Port + - cisco_ise.log.log_details + - Acct-Input-Octets + - Acct-Output-Octets + - Acct-Input-Packets + - Acct-Output-Packets + - Acct-Session-Time + - Acct-Delay-Time + - RequestLatency + - Airespace-Wlan-Id + - Framed-IP-Address + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml new file mode 100644 index 00000000000..d89787b48a7 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml @@ -0,0 +1,235 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - set: + field: cisco_ise.log.message.description + value: "RADIUS: An Access-Request MUST contain at least a NAS-IP-Address NAS-IPv6-Address, or a NAS-Identifier; Continue processing" + if: ctx?.cisco_ise?.log?.message?.code == "11015" + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["11001","11002","11004","11005","11006","11015"], "name": "iam"], + ["messageCodeArray": ["11036","11038","11507","11823","12300","12301","12302","12305","12307","12309","12318","12500","12814","12817"], "name": "authentication"], + ["messageCodeArray": ["11027","12500","12800","12805","12814","12817"], "name": "network"], + ["messageCodeArray": ["11117"], "name": "session"], + ["messageCodeArray": ["11017","11018"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["11001","11002","11004","11005","11006","11015","11017","11018","11027","11036","11038","11117","11507","11823","12300","12301","12302","12305","12307","12309","12318","12500","12800","12805","12814","12817"], "name": "info"], + ["messageCodeArray": ["11823","12307","12309","12817"], "name": "end"], + ["messageCodeArray": ["11117"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - gsub: + field: cisco_ise.log.log_details + pattern: \\, + replacement: '' + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: DetailedInfo + target_field: cisco_ise.log.detailed_info + ignore_missing: true + - rename: + field: EapAuthentication + target_field: cisco_ise.log.eap.authentication + ignore_missing: true + - rename: + field: EapTunnel + target_field: cisco_ise.log.eap.tunnel + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: OpenSSLErrorMessage + target_field: cisco_ise.log.openssl.error.message + ignore_missing: true + - rename: + field: OpenSSLErrorStack + target_field: cisco_ise.log.openssl.error.stack + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - convert: + field: RadiusIdentifier + target_field: cisco_ise.log.radius_identifier + type: long + ignore_missing: true + - rename: + field: RadiusPacketType + target_field: cisco_ise.log.radius.packet.type + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - convert: + field: Session-Timeout + target_field: cisco_ise.log.session.timeout + type: long + ignore_missing: true + - rename: + field: State + target_field: cisco_ise.log.state + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Device Port + target_field: client.port + type: long + ignore_missing: true + - rename: + field: Service-Type + target_field: service.type + ignore_missing: true + - rename: + field: User-Name + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - Device Port + - NAS-IP-Address + - NAS-Port + - Airespace-Wlan-Id + - RadiusIdentifier + - Response + - Session-Timeout + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml new file mode 100644 index 00000000000..3832191710e --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml @@ -0,0 +1,189 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.action + value: [system-stats] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "70001" + patterns: + - "^ConfigVersionId=%{DATA:ConfigVersionId}, SysStatsAcsProcessHealth= %{GREEDYDATA:_tmp.SysStatsAcsProcessHealth}" + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "70001" + field: _tmp.SysStatsAcsProcessHealth + target_field: SysStatsAcsProcessHealth + field_split: '; ' + value_split: = + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code != "70001" + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + field: OperationCounters + target_field: _tmp + field_split: ', ' + value_split: = + if: ctx?.cisco_ise?.log?.message?.code == "70011" + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "70011" + field: _tmp.Counter + target_field: Counters + field_split: "," + value_split: ":" + ignore_failure: true + - remove: + field: OperationCounters + if: ctx?.Counters != null + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["70000","70011"], "name": "host"], + ["messageCodeArray": ["70001"], "name": "process"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.category = eventCategory.length > 0 ? eventCategory : null; + - convert: + field: ActiveSessionCount + target_field: cisco_ise.log.active_session.count + type: long + ignore_failure: true + - convert: + field: AverageRadiusRequestLatency + target_field: cisco_ise.log.average.radius.request.latency + type: long + ignore_failure: true + - convert: + field: AverageTacacsRequestLatency + target_field: cisco_ise.log.average.tacacs.request.latency + type: long + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Counters + target_field: cisco_ise.log.operation_counters.counters + ignore_missing: true + - convert: + field: DeltaRadiusRequestCount + target_field: cisco_ise.log.delta.radius.request.count + type: long + ignore_failure: true + - convert: + field: DeltaTacacsRequestCount + target_field: cisco_ise.log.delta.tacacs.request.count + type: long + ignore_failure: true + - rename: + field: OperationCounters + target_field: cisco_ise.log.operation_counters.original + ignore_missing: true + - rename: + field: SysStatsAcsProcessHealth + target_field: cisco_ise.log.sysstats.acs.process.health + ignore_missing: true + - convert: + field: SysStatsCpuCount + target_field: cisco_ise.log.sysstats.cpu.count + type: long + ignore_failure: true + - convert: + field: SysStatsProcessMemoryMB + target_field: cisco_ise.log.sysstats.process_memory_mb + type: long + ignore_failure: true + - gsub: + field: SysStatsUtilizationCpu + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationCpu + target_field: cisco_ise.log.sysstats.utilization.cpu + type: double + ignore_failure: true + - gsub: + field: SysStatsUtilizationDiskIO + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationDiskIO + target_field: cisco_ise.log.sysstats.utilization.disk.io + type: double + ignore_failure: true + - rename: + field: SysStatsUtilizationDiskSpace + target_field: cisco_ise.log.sysstats.utilization.disk.space + ignore_missing: true + - convert: + field: SysStatsUtilizationLoadAvg + target_field: cisco_ise.log.sysstats.utilization.load_avg + type: double + ignore_failure: true + - gsub: + field: SysStatsUtilizationMemory + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationMemory + target_field: cisco_ise.log.sysstats.utilization.memory + type: double + ignore_failure: true + - rename: + field: SysStatsUtilizationNetwork + target_field: cisco_ise.log.sysstats.utilization.network + ignore_missing: true + - remove: + field: + - ActiveSessionCount + - AverageRadiusRequestLatency + - AverageTacacsRequestLatency + - ConfigVersionId + - DeltaRadiusRequestCount + - DeltaTacacsRequestCount + - SysStatsCpuCount + - SysStatsProcessMemoryMB + - SysStatsUtilizationCpu + - SysStatsUtilizationDiskIO + - SysStatsUtilizationMemory + - SysStatsUtilizationLoadAvg + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml new file mode 100644 index 00000000000..839a9c4bb92 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml @@ -0,0 +1,245 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - gsub: + field: message + pattern: 'AVPair=' + replacement: 'AVPair.' + ignore_missing: true + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: CmdSet + target_field: cisco_ise.log.cmdset + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_failure: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: Type + target_field: cisco_ise.log.type + ignore_missing: true + - convert: + field: Privilege-Level + target_field: cisco_ise.log.privilege.level + type: long + ignore_failure: true + - rename: + field: Service + target_field: cisco_ise.log.service.name + ignore_missing: true + - rename: + field: User + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Port + target_field: cisco_ise.log.port + ignore_missing: true + - convert: + field: Remote-Address + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Authen-Method + target_field: cisco_ise.log.authen_method + ignore_missing: true + - convert: + field: AVPair.task_id + target_field: cisco_ise.log.avpair.task_id + type: long + ignore_missing: true + - rename: + field: AVPair.timezone + target_field: cisco_ise.log.avpair.timezone + ignore_missing: true + - date: + field: AVPair.start_time + target_field: cisco_ise.log.avpair.start_time + if: ctx?.AVPair?.start_time != "0" + ignore_failure: true + formats: + - UNIX + - convert: + field: AVPair.priv-lvl + target_field: cisco_ise.log.avpair.priv_lvl + type: long + ignore_failure: true + - convert: + field: AVPair.disc-cause + target_field: cisco_ise.log.avpair.disc.cause + type: long + ignore_failure: true + - convert: + field: AVPair.disc-cause-ext + target_field: cisco_ise.log.avpair.disc.cause_ext + type: long + ignore_failure: true + - convert: + field: AVPair.pre-session-time + target_field: cisco_ise.log.avpair.pre_session_time + type: long + ignore_failure: true + - convert: + field: AVPair.elapsed_time + target_field: cisco_ise.log.avpair.elapsed_time + type: long + ignore_failure: true + - date: + field: AVPair.stop_time + target_field: cisco_ise.log.avpair.stop_time + if: ctx?.cisco_ise?.log?.avPair?.stop_time != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: AcctRequest-Flags + target_field: cisco_ise.log.acct.request.flags + ignore_missing: true + - rename: + field: Service-Argument + target_field: cisco_ise.log.service.argument + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - rename: + field: Software Version + target_field: cisco_ise.log.software.version + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - Remote-Address + - Response + - RequestLatency + - Privilege-Level + - cisco_ise.log.log_details + - AVPair.start_time + - AVPair.priv-lvl + - AVPair.disc-cause + - AVPair.disc-cause-ext + - AVPair.pre-session-time + - AVPair.elapsed_time + - AVPair.stop_time + - AVPair.task_id + - AVPair + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml new file mode 100644 index 00000000000..54768dfc50e --- /dev/null +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml @@ -0,0 +1,78 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["91110"], "name": "authentication"], + ["messageCodeArray": ["91004","91018"], "name": "configuration"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Details + target_field: cisco_ise.log.details + ignore_missing: true + - rename: + field: AdapterInstanceName + target_field: cisco_ise.log.adapter_instance.name + ignore_missing: true + - rename: + field: AdapterInstanceUuid + target_field: cisco_ise.log.adapter_instance.uuid + ignore_missing: true + - rename: + field: Status + target_field: cisco_ise.log.status + ignore_missing: true + - rename: + field: Connectivity + target_field: cisco_ise.log.connectivity + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..6e1bac042bc --- /dev/null +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_ise/data_stream/log/fields/base-fields.yml b/packages/cisco_ise/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..45e558e2c9b --- /dev/null +++ b/packages/cisco_ise/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ise.log +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ise +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco_ise/data_stream/log/fields/ecs.yml b/packages/cisco_ise/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..078f39d3eae --- /dev/null +++ b/packages/cisco_ise/data_stream/log/fields/ecs.yml @@ -0,0 +1,46 @@ +- external: ecs + name: client.ip +- external: ecs + name: client.port +- external: ecs + name: client.user.name +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: ecs.version +- external: ecs + name: event.sequence +- external: ecs + name: host.hostname +- external: ecs + name: host.ip +- external: ecs + name: log.level +- external: ecs + name: log.logger +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.name +- external: ecs + name: message +- external: ecs + name: network.protocol +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: service.type +- external: ecs + name: source.ip +- external: ecs + name: tags +- external: ecs + name: user.full_name +- external: ecs + name: user.name diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml new file mode 100644 index 00000000000..2426988f9f0 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/fields/fields.yml @@ -0,0 +1,831 @@ +- name: cisco_ise.log + type: group + fields: + - name: acct + type: group + fields: + - name: authentic + type: keyword + - name: delay_time + type: long + - name: input + type: group + fields: + - name: octets + type: long + - name: packets + type: long + - name: output + type: group + fields: + - name: octets + type: long + - name: packets + type: long + - name: request + type: group + fields: + - name: flags + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: time + type: long + - name: status + type: group + fields: + - name: type + type: keyword + - name: terminate_cause + type: keyword + - name: acme-av-pair + type: group + fields: + - name: audit-session-id + type: keyword + - name: service-type + type: keyword + - name: acs + type: group + fields: + - name: instance + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: active_session + type: group + fields: + - name: count + type: long + - name: ad + type: group + fields: + - name: admin + type: keyword + - name: domain + type: group + fields: + - name: controller + type: keyword + - name: name + type: keyword + - name: error + type: group + fields: + - name: details + type: keyword + - name: forest + type: keyword + - name: hostname + type: keyword + - name: ip + type: ip + - name: log + type: keyword + - name: log_id + type: keyword + - name: organization_unit + type: text + - name: site + type: keyword + - name: srv + type: group + fields: + - name: query + type: keyword + - name: record + type: keyword + - name: adapter_instance + type: group + fields: + - name: name + type: keyword + - name: uuid + type: keyword + - name: admin + type: group + fields: + - name: interface + type: keyword + - name: session + type: keyword + - name: airespace + type: group + fields: + - name: wlan + type: group + fields: + - name: id + type: long + - name: allow + type: group + fields: + - name: easy + type: group + fields: + - name: wired + type: group + fields: + - name: session + type: keyword + - name: allowed_protocol + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: assigned_targets + type: keyword + - name: auth + type: group + fields: + - name: policy + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: authen_method + type: keyword + - name: authentication + type: group + fields: + - name: identity_store + type: keyword + - name: method + type: keyword + - name: status + type: keyword + - name: average + type: group + fields: + - name: radius + type: group + fields: + - name: request + type: group + fields: + - name: latency + type: long + - name: tacacs + type: group + fields: + - name: request + type: group + fields: + - name: latency + type: long + - name: avpair + type: group + fields: + - name: disc + type: group + fields: + - name: cause + type: long + - name: cause_ext + type: long + - name: elapsed_time + type: long + - name: pre_session_time + type: long + - name: priv_lvl + type: long + - name: start_time + type: date + - name: stop_time + type: date + - name: task_id + type: long + - name: timezone + type: keyword + - name: called_station + type: group + fields: + - name: id + type: keyword + - name: calling_station + type: group + fields: + - name: id + type: keyword + - name: category + type: group + fields: + - name: name + type: keyword + - name: cisco_av_pair + type: group + fields: + - name: coa-push + type: boolean + - name: cts-device-capability + type: keyword + - name: cts-environment-data + type: keyword + - name: cts-environment-version + type: keyword + - name: cts-pac-opaque + type: keyword + - name: class + type: keyword + - name: client + type: group + fields: + - name: latency + type: long + - name: cmdset + type: keyword + - name: component + type: keyword + - name: config_change + type: group + fields: + - name: data + type: keyword + - name: config_version + type: group + fields: + - name: id + type: long + - name: connectivity + type: keyword + - name: cpm + type: group + fields: + - name: session + type: group + fields: + - name: id + type: keyword + - name: currentid + type: group + fields: + - name: store_name + type: keyword + - name: delta + type: group + fields: + - name: radius + type: group + fields: + - name: request + type: group + fields: + - name: count + type: long + - name: tacacs + type: group + fields: + - name: request + type: group + fields: + - name: count + type: long + - name: detailed_info + type: text + - name: details + type: keyword + - name: device + type: group + fields: + - name: name + type: keyword + - name: registration_status + type: keyword + - name: type + type: keyword + - name: dtls_support + type: keyword + - name: eap_key + type: group + fields: + - name: name + type: keyword + - name: eap + type: group + fields: + - name: authentication + type: keyword + - name: chaining_result + type: keyword + - name: tunnel + type: keyword + - name: enable + type: group + fields: + - name: flag + type: keyword + - name: endpoint + type: group + fields: + - name: coa + type: keyword + - name: mac + type: group + fields: + - name: address + type: keyword + - name: policy + type: keyword + - name: profiler + type: keyword + - name: purge + type: group + fields: + - name: id + type: keyword + - name: rule + type: keyword + - name: scheduletype + type: keyword + - name: ep + type: group + fields: + - name: identity_group + type: keyword + - name: mac + type: group + fields: + - name: address + type: keyword + - name: error + type: group + fields: + - name: message + type: keyword + - name: event + type: group + fields: + - name: timestamp + type: date + - name: failure + type: group + fields: + - name: flag + type: boolean + - name: reason + type: keyword + - name: feed_service + type: group + fields: + - name: feed + type: group + fields: + - name: name + type: keyword + - name: version + type: keyword + - name: host + type: keyword + - name: port + type: keyword + - name: query + type: group + fields: + - name: from_time + type: date + - name: to_time + type: date + - name: file + type: group + fields: + - name: name + type: keyword + - name: first_name + type: keyword + - name: framed + type: group + fields: + - name: ip + type: ip + - name: mtu + type: long + - name: groups + type: group + fields: + - name: process_failure + type: boolean + - name: guest + type: group + fields: + - name: user + type: group + fields: + - name: name + type: keyword + - name: identity + type: group + fields: + - name: group + type: keyword + - name: identity + type: group + fields: + - name: policy + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: selection + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: ipsec + type: keyword + - name: is_third_party_device_flow + type: boolean + - name: ise + type: group + fields: + - name: policy + type: group + fields: + - name: set_name + type: keyword + - name: last_name + type: keyword + - name: local_logging + type: keyword + - name: location + type: keyword + - name: log_details + type: text + - name: log_error + type: group + fields: + - name: message + type: keyword + - name: log_severity_level + type: keyword + - name: logger + type: group + fields: + - name: name + type: keyword + - name: message + type: group + fields: + - name: code + type: keyword + - name: description + type: text + - name: id + type: keyword + - name: text + type: keyword + - name: misconfigured + type: group + fields: + - name: client + type: group + fields: + - name: fix + type: group + fields: + - name: reason + type: keyword + - name: model + type: group + fields: + - name: name + type: keyword + - name: nas + type: group + fields: + - name: identifier + type: keyword + - name: ip + type: ip + - name: port + type: group + fields: + - name: id + type: keyword + - name: number + type: long + - name: type + type: keyword + - name: network + type: group + fields: + - name: device + type: group + fields: + - name: groups + type: keyword + - name: name + type: keyword + - name: profile + type: keyword + - name: profile_id + type: keyword + - name: profile_name + type: keyword + - name: object + type: group + fields: + - name: internal.id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: objects + type: group + fields: + - name: purged + type: keyword + - name: openssl + type: group + fields: + - name: error + type: group + fields: + - name: message + type: keyword + - name: stack + type: keyword + - name: operation_counters + type: group + fields: + - name: counters + type: flattened + - name: original + type: text + - name: operation_message + type: group + fields: + - name: text + type: keyword + - name: operation + type: group + fields: + - name: id + type: keyword + - name: status + type: keyword + - name: type + type: keyword + - name: original + type: group + fields: + - name: user + type: group + fields: + - name: name + type: keyword + - name: policy + type: group + fields: + - name: type + type: keyword + - name: port + type: keyword + - name: portal + type: group + fields: + - name: name + type: keyword + - name: posture + type: group + fields: + - name: assessment + type: group + fields: + - name: status + type: keyword + - name: privilege + type: group + fields: + - name: level + type: long + - name: probe + type: keyword + - name: profiler + type: group + fields: + - name: server + type: keyword + - name: protocol + type: keyword + - name: psn + type: group + fields: + - name: hostname + type: keyword + - name: radius_identifier + type: long + - name: radius_packet + type: group + fields: + - name: type + type: keyword + - name: radius + type: group + fields: + - name: flow + type: group + fields: + - name: type + type: keyword + - name: packet + type: group + fields: + - name: type + type: keyword + - name: request_response + type: group + fields: + - name: type + type: keyword + - name: request + type: group + fields: + - name: latency + type: long + - name: received_time + type: date + - name: response + type: flattened + - name: segment + type: group + fields: + - name: number + type: long + - name: total + type: long + - name: selected + type: group + fields: + - name: access + type: group + fields: + - name: service + type: keyword + - name: authentication + type: group + fields: + - name: identity_stores + type: keyword + - name: authorization + type: group + fields: + - name: profiles + type: keyword + - name: sequence + type: group + fields: + - name: number + type: long + - name: server + type: group + fields: + - name: name + type: keyword + - name: type + type: keyword + - name: service + type: group + fields: + - name: argument + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: session + type: group + fields: + - name: timeout + type: long + - name: severity + type: group + fields: + - name: level + type: long + - name: software + type: group + fields: + - name: version + type: keyword + - name: state + type: text + - name: static + type: group + fields: + - name: assignment + type: boolean + - name: step + type: keyword + - name: step_data + type: keyword + - name: step_latency + type: keyword + - name: state + type: keyword + - name: status + type: keyword + - name: sysstats + type: group + fields: + - name: acs + type: group + fields: + - name: process + type: group + fields: + - name: health + type: flattened + - name: cpu + type: group + fields: + - name: count + type: long + - name: process_memory_mb + type: long + - name: utilization + type: group + fields: + - name: cpu + type: double + - name: disk + type: group + fields: + - name: io + type: double + - name: space + type: keyword + - name: load_avg + type: double + - name: memory + type: double + - name: network + type: keyword + - name: tls + type: group + fields: + - name: cipher + type: keyword + - name: version + type: keyword + - name: total + type: group + fields: + - name: authen + type: group + fields: + - name: latency + type: long + - name: failed_attempts + type: long + - name: failed_time + type: long + - name: tunnel + type: group + fields: + - name: medium + type: group + fields: + - name: type + type: keyword + - name: private + type: group + fields: + - name: group_id + type: keyword + - name: type + type: keyword + - name: type + type: keyword + - name: undefined_52 + type: keyword + - name: usecase + type: keyword + - name: user + type: group + fields: + - name: type + type: keyword + - name: workflow + type: flattened +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ise/data_stream/log/manifest.yml b/packages/cisco_ise/data_stream/log/manifest.yml new file mode 100644 index 00000000000..e0bae293cd6 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/manifest.yml @@ -0,0 +1,63 @@ +title: Cisco ISE logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Cisco_ISE logs + description: Collect Cisco ISE logs via TCP input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_ise-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + template_path: udp.yml.hbs + title: Cisco_ISE logs + description: Collect Cisco ISE logs via UDP input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_ise-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json new file mode 100644 index 00000000000..f4524cb7412 --- /dev/null +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -0,0 +1,184 @@ +{ + "@timestamp": "2020-02-21T19:13:08.328Z", + "agent": { + "ephemeral_id": "868c4a5a-ab3d-44f9-b28c-dd0da1bd08f8", + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.0" + }, + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": 2962, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "cisco_ise.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", + "snapshot": true, + "version": "8.3.0" + }, + "event": { + "action": "tacacs-accounting", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "cisco_ise.log", + "ingested": "2022-04-15T15:33:23Z", + "kind": "event", + "sequence": 18415781, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "notice", + "source": { + "address": "172.25.0.1:51632" + }, + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxvne" + ] + }, + "tags": [ + "forwarded", + "cisco_ise-log" + ], + "user": { + "name": "psxvne" + } +} \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md new file mode 100644 index 00000000000..9e7295a4111 --- /dev/null +++ b/packages/cisco_ise/docs/README.md @@ -0,0 +1,498 @@ +# Cisco ISE + +The Cisco ISE integration collects and parses data from [Cisco Identity Services Engine](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) (ISE) using TCP/UDP. + +## Compatibility + +This module has been tested against `Cisco ISE server version 3.1.0.518`. + +## Requirements + +- Enable the integration with the TCP/UDP input. +- Sign in to Cisco ISE Portal. +- Configure Remote Syslog Collection Locations. + - **Procedure** + 1. In Cisco ISE Administrator Portal, go to **Administration** > **System** > **Logging** > **Remote Logging Targets**. + 2. Click **Add**. + ![Cisco ISE server setup image](../img/cisco-ise-setup.png) + 3. Enter all the **Required Details**. + 4. Set the maximum length to **8192**. + 5. Click **Submit**. + 6. Go to the **Remote Logging Targets** page and verify the creation of the new target. + +## Note +- It is recommended to have **8192** as Maximum Message Length. Segmentation for certain logs coming from Cisco ISE might cause issues with field mappings. + +## Logs + +Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) + +### log + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2020-02-21T19:13:08.328Z", + "agent": { + "ephemeral_id": "868c4a5a-ab3d-44f9-b28c-dd0da1bd08f8", + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.0" + }, + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": 2962, + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "cisco_ise.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", + "snapshot": true, + "version": "8.3.0" + }, + "event": { + "action": "tacacs-accounting", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "cisco_ise.log", + "ingested": "2022-04-15T15:33:23Z", + "kind": "event", + "sequence": 18415781, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "notice", + "source": { + "address": "172.25.0.1:51632" + }, + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxvne" + ] + }, + "tags": [ + "forwarded", + "cisco_ise-log" + ], + "user": { + "name": "psxvne" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_ise.log.acct.authentic | | keyword | +| cisco_ise.log.acct.delay_time | | long | +| cisco_ise.log.acct.input.octets | | long | +| cisco_ise.log.acct.input.packets | | long | +| cisco_ise.log.acct.output.octets | | long | +| cisco_ise.log.acct.output.packets | | long | +| cisco_ise.log.acct.request.flags | | keyword | +| cisco_ise.log.acct.session.id | | keyword | +| cisco_ise.log.acct.session.time | | long | +| cisco_ise.log.acct.status.type | | keyword | +| cisco_ise.log.acct.terminate_cause | | keyword | +| cisco_ise.log.acme-av-pair.audit-session-id | | keyword | +| cisco_ise.log.acme-av-pair.service-type | | keyword | +| cisco_ise.log.acs.instance | | keyword | +| cisco_ise.log.acs.session.id | | keyword | +| cisco_ise.log.active_session.count | | long | +| cisco_ise.log.ad.admin | | keyword | +| cisco_ise.log.ad.domain.controller | | keyword | +| cisco_ise.log.ad.domain.name | | keyword | +| cisco_ise.log.ad.error.details | | keyword | +| cisco_ise.log.ad.forest | | keyword | +| cisco_ise.log.ad.hostname | | keyword | +| cisco_ise.log.ad.ip | | ip | +| cisco_ise.log.ad.log | | keyword | +| cisco_ise.log.ad.log_id | | keyword | +| cisco_ise.log.ad.organization_unit | | text | +| cisco_ise.log.ad.site | | keyword | +| cisco_ise.log.ad.srv.query | | keyword | +| cisco_ise.log.ad.srv.record | | keyword | +| cisco_ise.log.adapter_instance.name | | keyword | +| cisco_ise.log.adapter_instance.uuid | | keyword | +| cisco_ise.log.admin.interface | | keyword | +| cisco_ise.log.admin.session | | keyword | +| cisco_ise.log.airespace.wlan.id | | long | +| cisco_ise.log.allow.easy.wired.session | | keyword | +| cisco_ise.log.allowed_protocol.matched.rule | | keyword | +| cisco_ise.log.assigned_targets | | keyword | +| cisco_ise.log.auth.policy.matched.rule | | keyword | +| cisco_ise.log.authen_method | | keyword | +| cisco_ise.log.authentication.identity_store | | keyword | +| cisco_ise.log.authentication.method | | keyword | +| cisco_ise.log.authentication.status | | keyword | +| cisco_ise.log.average.radius.request.latency | | long | +| cisco_ise.log.average.tacacs.request.latency | | long | +| cisco_ise.log.avpair.disc.cause | | long | +| cisco_ise.log.avpair.disc.cause_ext | | long | +| cisco_ise.log.avpair.elapsed_time | | long | +| cisco_ise.log.avpair.pre_session_time | | long | +| cisco_ise.log.avpair.priv_lvl | | long | +| cisco_ise.log.avpair.start_time | | date | +| cisco_ise.log.avpair.stop_time | | date | +| cisco_ise.log.avpair.task_id | | long | +| cisco_ise.log.avpair.timezone | | keyword | +| cisco_ise.log.called_station.id | | keyword | +| cisco_ise.log.calling_station.id | | keyword | +| cisco_ise.log.category.name | | keyword | +| cisco_ise.log.cisco_av_pair.coa-push | | boolean | +| cisco_ise.log.cisco_av_pair.cts-device-capability | | keyword | +| cisco_ise.log.cisco_av_pair.cts-environment-data | | keyword | +| cisco_ise.log.cisco_av_pair.cts-environment-version | | keyword | +| cisco_ise.log.cisco_av_pair.cts-pac-opaque | | keyword | +| cisco_ise.log.class | | keyword | +| cisco_ise.log.client.latency | | long | +| cisco_ise.log.cmdset | | keyword | +| cisco_ise.log.component | | keyword | +| cisco_ise.log.config_change.data | | keyword | +| cisco_ise.log.config_version.id | | long | +| cisco_ise.log.connectivity | | keyword | +| cisco_ise.log.cpm.session.id | | keyword | +| cisco_ise.log.currentid.store_name | | keyword | +| cisco_ise.log.delta.radius.request.count | | long | +| cisco_ise.log.delta.tacacs.request.count | | long | +| cisco_ise.log.detailed_info | | text | +| cisco_ise.log.details | | keyword | +| cisco_ise.log.device.name | | keyword | +| cisco_ise.log.device.registration_status | | keyword | +| cisco_ise.log.device.type | | keyword | +| cisco_ise.log.dtls_support | | keyword | +| cisco_ise.log.eap.authentication | | keyword | +| cisco_ise.log.eap.chaining_result | | keyword | +| cisco_ise.log.eap.tunnel | | keyword | +| cisco_ise.log.eap_key.name | | keyword | +| cisco_ise.log.enable.flag | | keyword | +| cisco_ise.log.endpoint.coa | | keyword | +| cisco_ise.log.endpoint.mac.address | | keyword | +| cisco_ise.log.endpoint.policy | | keyword | +| cisco_ise.log.endpoint.profiler | | keyword | +| cisco_ise.log.endpoint.purge.id | | keyword | +| cisco_ise.log.endpoint.purge.rule | | keyword | +| cisco_ise.log.endpoint.purge.scheduletype | | keyword | +| cisco_ise.log.ep.identity_group | | keyword | +| cisco_ise.log.ep.mac.address | | keyword | +| cisco_ise.log.error.message | | keyword | +| cisco_ise.log.event.timestamp | | date | +| cisco_ise.log.failure.flag | | boolean | +| cisco_ise.log.failure.reason | | keyword | +| cisco_ise.log.feed_service.feed.name | | keyword | +| cisco_ise.log.feed_service.feed.version | | keyword | +| cisco_ise.log.feed_service.host | | keyword | +| cisco_ise.log.feed_service.port | | keyword | +| cisco_ise.log.feed_service.query.from_time | | date | +| cisco_ise.log.feed_service.query.to_time | | date | +| cisco_ise.log.file.name | | keyword | +| cisco_ise.log.first_name | | keyword | +| cisco_ise.log.framed.ip | | ip | +| cisco_ise.log.framed.mtu | | long | +| cisco_ise.log.groups.process_failure | | boolean | +| cisco_ise.log.guest.user.name | | keyword | +| cisco_ise.log.identity.group | | keyword | +| cisco_ise.log.identity.policy.matched.rule | | keyword | +| cisco_ise.log.identity.selection.matched.rule | | keyword | +| cisco_ise.log.ipsec | | keyword | +| cisco_ise.log.is_third_party_device_flow | | boolean | +| cisco_ise.log.ise.policy.set_name | | keyword | +| cisco_ise.log.last_name | | keyword | +| cisco_ise.log.local_logging | | keyword | +| cisco_ise.log.location | | keyword | +| cisco_ise.log.log_details | | text | +| cisco_ise.log.log_error.message | | keyword | +| cisco_ise.log.log_severity_level | | keyword | +| cisco_ise.log.logger.name | | keyword | +| cisco_ise.log.message.code | | keyword | +| cisco_ise.log.message.description | | text | +| cisco_ise.log.message.id | | keyword | +| cisco_ise.log.message.text | | keyword | +| cisco_ise.log.misconfigured.client.fix.reason | | keyword | +| cisco_ise.log.model.name | | keyword | +| cisco_ise.log.nas.identifier | | keyword | +| cisco_ise.log.nas.ip | | ip | +| cisco_ise.log.nas.port.id | | keyword | +| cisco_ise.log.nas.port.number | | long | +| cisco_ise.log.nas.port.type | | keyword | +| cisco_ise.log.network.device.groups | | keyword | +| cisco_ise.log.network.device.name | | keyword | +| cisco_ise.log.network.device.profile | | keyword | +| cisco_ise.log.network.device.profile_id | | keyword | +| cisco_ise.log.network.device.profile_name | | keyword | +| cisco_ise.log.object.internal.id | | keyword | +| cisco_ise.log.object.name | | keyword | +| cisco_ise.log.object.type | | keyword | +| cisco_ise.log.objects.purged | | keyword | +| cisco_ise.log.openssl.error.message | | keyword | +| cisco_ise.log.openssl.error.stack | | keyword | +| cisco_ise.log.operation.id | | keyword | +| cisco_ise.log.operation.status | | keyword | +| cisco_ise.log.operation.type | | keyword | +| cisco_ise.log.operation_counters.counters | | flattened | +| cisco_ise.log.operation_counters.original | | text | +| cisco_ise.log.operation_message.text | | keyword | +| cisco_ise.log.original.user.name | | keyword | +| cisco_ise.log.policy.type | | keyword | +| cisco_ise.log.port | | keyword | +| cisco_ise.log.portal.name | | keyword | +| cisco_ise.log.posture.assessment.status | | keyword | +| cisco_ise.log.privilege.level | | long | +| cisco_ise.log.probe | | keyword | +| cisco_ise.log.profiler.server | | keyword | +| cisco_ise.log.protocol | | keyword | +| cisco_ise.log.psn.hostname | | keyword | +| cisco_ise.log.radius.flow.type | | keyword | +| cisco_ise.log.radius.packet.type | | keyword | +| cisco_ise.log.radius_identifier | | long | +| cisco_ise.log.radius_packet.type | | keyword | +| cisco_ise.log.request.latency | | long | +| cisco_ise.log.request.received_time | | date | +| cisco_ise.log.request_response.type | | keyword | +| cisco_ise.log.response | | flattened | +| cisco_ise.log.segment.number | | long | +| cisco_ise.log.segment.total | | long | +| cisco_ise.log.selected.access.service | | keyword | +| cisco_ise.log.selected.authentication.identity_stores | | keyword | +| cisco_ise.log.selected.authorization.profiles | | keyword | +| cisco_ise.log.sequence.number | | long | +| cisco_ise.log.server.name | | keyword | +| cisco_ise.log.server.type | | keyword | +| cisco_ise.log.service.argument | | keyword | +| cisco_ise.log.service.name | | keyword | +| cisco_ise.log.service.type | | keyword | +| cisco_ise.log.session.timeout | | long | +| cisco_ise.log.severity.level | | long | +| cisco_ise.log.software.version | | keyword | +| cisco_ise.log.state | | text | +| cisco_ise.log.static.assignment | | boolean | +| cisco_ise.log.status | | keyword | +| cisco_ise.log.step | | keyword | +| cisco_ise.log.step_data | | keyword | +| cisco_ise.log.step_latency | | keyword | +| cisco_ise.log.sysstats.acs.process.health | | flattened | +| cisco_ise.log.sysstats.cpu.count | | long | +| cisco_ise.log.sysstats.process_memory_mb | | long | +| cisco_ise.log.sysstats.utilization.cpu | | double | +| cisco_ise.log.sysstats.utilization.disk.io | | double | +| cisco_ise.log.sysstats.utilization.disk.space | | keyword | +| cisco_ise.log.sysstats.utilization.load_avg | | double | +| cisco_ise.log.sysstats.utilization.memory | | double | +| cisco_ise.log.sysstats.utilization.network | | keyword | +| cisco_ise.log.tls.cipher | | keyword | +| cisco_ise.log.tls.version | | keyword | +| cisco_ise.log.total.authen.latency | | long | +| cisco_ise.log.total.failed_attempts | | long | +| cisco_ise.log.total.failed_time | | long | +| cisco_ise.log.tunnel.medium.type | | keyword | +| cisco_ise.log.tunnel.private.group_id | | keyword | +| cisco_ise.log.tunnel.type | | keyword | +| cisco_ise.log.type | | keyword | +| cisco_ise.log.undefined_52 | | keyword | +| cisco_ise.log.usecase | | keyword | +| cisco_ise.log.user.type | | keyword | +| cisco_ise.log.workflow | | flattened | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_ise/img/cisco-ise-logo.svg b/packages/cisco_ise/img/cisco-ise-logo.svg new file mode 100644 index 00000000000..43f57cb7fee --- /dev/null +++ b/packages/cisco_ise/img/cisco-ise-logo.svg @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + diff --git a/packages/cisco_ise/img/cisco-ise-screenshot.png b/packages/cisco_ise/img/cisco-ise-screenshot.png new file mode 100644 index 00000000000..bda562ccabe Binary files /dev/null and b/packages/cisco_ise/img/cisco-ise-screenshot.png differ diff --git a/packages/cisco_ise/img/cisco-ise-setup.png b/packages/cisco_ise/img/cisco-ise-setup.png new file mode 100644 index 00000000000..c6e2b94b6c6 Binary files /dev/null and b/packages/cisco_ise/img/cisco-ise-setup.png differ diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..93747f39dc9 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json @@ -0,0 +1,213 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_Internal_Operations_Diagnostics", + "CISE_Threat_Centric_NAC" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Internal_Operations_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Threat_Centric_NAC" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9bd4d444-de17-43de-beb0-89d4d4ecc187", + "w": 48, + "x": 0, + "y": 45 + }, + "panelIndex": "9bd4d444-de17-43de-beb0-89d4d4ecc187", + "panelRefName": "panel_0", + "title": "System Diagnostics Log Stream for Threat Centric NAC [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "3d8fa06f-bd70-438d-bbcb-778dc278d228", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "3d8fa06f-bd70-438d-bbcb-778dc278d228", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "7dd60577-882f-4428-adf4-9ec7048032dc", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "7dd60577-882f-4428-adf4-9ec7048032dc", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "db158b71-11fd-4950-b0e4-e9e4893aaebb", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "db158b71-11fd-4950-b0e4-e9e4893aaebb", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "c6007a66-0f97-4948-a6f9-313a47c00f42", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "c6007a66-0f97-4948-a6f9-313a47c00f42", + "panelRefName": "panel_4", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1a99a183-dc6e-4412-8d81-46f53eb295f5", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "1a99a183-dc6e-4412-8d81-46f53eb295f5", + "panelRefName": "panel_5", + "title": "System Diagnostics Log Stream for Internal Operations Diagnostics [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] System Diagnostics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..5bb7ac4b744 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_Posture_and_Client_Provisioning_Audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Posture_and_Client_Provisioning_Audit" + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "22a9db51-a883-4947-b41b-2c06ce7e492e", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "22a9db51-a883-4947-b41b-2c06ce7e492e", + "panelRefName": "panel_0", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "03ebbffc-5648-4560-9510-5f27f7c59da9", + "w": 16, + "x": 16, + "y": 0 + }, + "panelIndex": "03ebbffc-5648-4560-9510-5f27f7c59da9", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "ca7116cf-93be-4a75-99e2-3ee133c367aa", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "ca7116cf-93be-4a75-99e2-3ee133c367aa", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b847c86c-1ef1-4ef4-afed-baac77ee2ce0", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "b847c86c-1ef1-4ef4-afed-baac77ee2ce0", + "panelRefName": "panel_3", + "title": "Posture and Client Provisioning Audit Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] Posture and Client Provisioning Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..92f43cd4f17 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_System_Statistics" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_System_Statistics" + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d7a85d7c-eb7a-4f92-8f90-205c60ed892b", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "d7a85d7c-eb7a-4f92-8f90-205c60ed892b", + "panelRefName": "panel_0", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0674168e-3642-43ed-8251-3a03f5880371", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "0674168e-3642-43ed-8251-3a03f5880371", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "57265bb8-6c32-4d2f-a3e3-376d5ab35a8d", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "57265bb8-6c32-4d2f-a3e3-376d5ab35a8d", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b3238d64-db19-4274-ae79-e2870bf314e4", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "b3238d64-db19-4274-ae79-e2870bf314e4", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] System Statistics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..e4cdfc28870 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,350 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_Failed_Attempts", + "CISE_Passed_Authentications" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Failed_Attempts" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Passed_Authentications" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6ec5efbd-54ba-4c2c-8213-3cfa11fa25dd", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "6ec5efbd-54ba-4c2c-8213-3cfa11fa25dd", + "panelRefName": "panel_0", + "title": "Top 10 Device IP Address [Logs Cisco ISE]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "4232cb43-a1cb-45e2-8f8b-e523232e41bc", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "4232cb43-a1cb-45e2-8f8b-e523232e41bc", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a41df091-467a-48a5-a4c4-bfdda2c964ae", + "w": 16, + "x": 0, + "y": 15 + }, + "panelIndex": "a41df091-467a-48a5-a4c4-bfdda2c964ae", + "panelRefName": "panel_2", + "title": "Top 10 Network Device Names [Logs Cisco ISE]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2ed21712-e74e-4d26-a3e8-6888e2d3ee46", + "w": 16, + "x": 16, + "y": 15 + }, + "panelIndex": "2ed21712-e74e-4d26-a3e8-6888e2d3ee46", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "85db9e7a-7390-4797-bef4-98b487427c43", + "w": 16, + "x": 32, + "y": 15 + }, + "panelIndex": "85db9e7a-7390-4797-bef4-98b487427c43", + "panelRefName": "panel_4", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7b136990-2ba1-4f99-9e0b-55b00b76bbd4", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "7b136990-2ba1-4f99-9e0b-55b00b76bbd4", + "panelRefName": "panel_5", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1f6e0bdd-f67b-431e-8634-1299c4e5a605", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "1f6e0bdd-f67b-431e-8634-1299c4e5a605", + "panelRefName": "panel_6", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "64f258c3-4824-4d67-b083-e8e02ba926cc", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "64f258c3-4824-4d67-b083-e8e02ba926cc", + "panelRefName": "panel_7", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "1ff51a84-32bb-4147-bc8a-cc5e13abfd6d", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "1ff51a84-32bb-4147-bc8a-cc5e13abfd6d", + "panelRefName": "panel_8", + "title": " Distribution of Events by User Type [Logs Cisco ISE]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "cc4bf643-08b2-4500-841d-ad8216532309", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "cc4bf643-08b2-4500-841d-ad8216532309", + "panelRefName": "panel_9", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5b616616-c8a5-44ed-ac39-cf94acf2d625", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "5b616616-c8a5-44ed-ac39-cf94acf2d625", + "panelRefName": "panel_10", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "c823be14-f41c-434a-98ed-434b7da90ac9", + "w": 48, + "x": 0, + "y": 75 + }, + "panelIndex": "c823be14-f41c-434a-98ed-434b7da90ac9", + "panelRefName": "panel_11", + "title": "AAA Audit Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] AAA Audit ", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83", + "name": "panel_11", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..5f01184b0bb --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,474 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_Authentication_Flow_Diagnostics", + "CISE_Guest", + "CISE_MyDevices", + "CISE_Identity_Stores_Diagnostics", + "CISE_Policy_Diagnostics", + "CISE_RADIUS_Diagnostics", + "CISE_AD_Connector" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Authentication_Flow_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Guest" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_MyDevices" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Identity_Stores_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Policy_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_RADIUS_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_AD_Connector" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9bad5a17-973e-428d-a97e-35e870506076", + "w": 24, + "x": 24, + "y": 105 + }, + "panelIndex": "9bad5a17-973e-428d-a97e-35e870506076", + "panelRefName": "panel_0", + "title": "AAA Diagnostics Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a711fab4-5b3c-4772-be34-ba329076bbc3", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "a711fab4-5b3c-4772-be34-ba329076bbc3", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "bbff4d11-a1cc-41ea-9834-d0a3781dbd86", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "bbff4d11-a1cc-41ea-9834-d0a3781dbd86", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "a1145565-ccd8-4dd5-8ba2-fa9b46906a2b", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "a1145565-ccd8-4dd5-8ba2-fa9b46906a2b", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "d10d59ee-c92b-4e28-81c4-1017be59bdfb", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "d10d59ee-c92b-4e28-81c4-1017be59bdfb", + "panelRefName": "panel_4", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0e3b4705-dd8a-42d7-9992-eefe9239160b", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "0e3b4705-dd8a-42d7-9992-eefe9239160b", + "panelRefName": "panel_5", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "251e4695-f4fb-4f6d-98e0-4a822942b58d", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "251e4695-f4fb-4f6d-98e0-4a822942b58d", + "panelRefName": "panel_6", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "94954f66-f728-4b2e-b7d3-024a4d21559a", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "94954f66-f728-4b2e-b7d3-024a4d21559a", + "panelRefName": "panel_7", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1156a6e4-bf5a-4628-97c1-1d48296960e2", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "1156a6e4-bf5a-4628-97c1-1d48296960e2", + "panelRefName": "panel_8", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "3db21693-851e-4584-8e01-92706e033703", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "3db21693-851e-4584-8e01-92706e033703", + "panelRefName": "panel_9", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "17cdfe86-a58c-4490-b253-7276fac9a458", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "17cdfe86-a58c-4490-b253-7276fac9a458", + "panelRefName": "panel_10", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "457e1c7e-32ae-4969-af38-81a02e0b0341", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "457e1c7e-32ae-4969-af38-81a02e0b0341", + "panelRefName": "panel_11", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "efaff3d9-6694-4adc-9b22-edd21d590852", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "efaff3d9-6694-4adc-9b22-edd21d590852", + "panelRefName": "panel_12", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "68e83de8-a2b3-4531-9e7a-80812495ef75", + "w": 24, + "x": 0, + "y": 90 + }, + "panelIndex": "68e83de8-a2b3-4531-9e7a-80812495ef75", + "panelRefName": "panel_13", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "9246074a-85cc-4cc3-a2df-6ebfe2db993e", + "w": 24, + "x": 24, + "y": 90 + }, + "panelIndex": "9246074a-85cc-4cc3-a2df-6ebfe2db993e", + "panelRefName": "panel_14", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "49bb018b-cab3-41c8-91b7-cdc8e30453dc", + "w": 24, + "x": 0, + "y": 105 + }, + "panelIndex": "49bb018b-cab3-41c8-91b7-cdc8e30453dc", + "panelRefName": "panel_15", + "type": "visualization", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] AAA Diagnostics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_15", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..0a2c516e467 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,303 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_RADIUS_Accounting", + "CISE_TACACS_Accounting" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_RADIUS_Accounting" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_TACACS_Accounting" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c9b722c7-e508-4447-8112-230e3858b5b8", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "c9b722c7-e508-4447-8112-230e3858b5b8", + "panelRefName": "panel_0", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "216c30b3-1a72-498f-939b-11462bb0adb7", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "216c30b3-1a72-498f-939b-11462bb0adb7", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "8edd6fd7-b66b-4ee6-b542-b1e7ccd26fa4", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "8edd6fd7-b66b-4ee6-b542-b1e7ccd26fa4", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b6b0bc79-1ddb-461b-97c4-f814c1267e58", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "b6b0bc79-1ddb-461b-97c4-f814c1267e58", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "77492870-ccbf-400a-ae2e-97fe9f39cd0d", + "w": 16, + "x": 0, + "y": 30 + }, + "panelIndex": "77492870-ccbf-400a-ae2e-97fe9f39cd0d", + "panelRefName": "panel_4", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9abde76e-d49b-409c-924b-dd9c81c1dcea", + "w": 16, + "x": 16, + "y": 30 + }, + "panelIndex": "9abde76e-d49b-409c-924b-dd9c81c1dcea", + "panelRefName": "panel_5", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ec663b72-467e-4ec0-ae7f-f023109ea50f", + "w": 16, + "x": 32, + "y": 30 + }, + "panelIndex": "ec663b72-467e-4ec0-ae7f-f023109ea50f", + "panelRefName": "panel_6", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "044c8085-11e7-40e3-a09b-bd994ce198aa", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "044c8085-11e7-40e3-a09b-bd994ce198aa", + "panelRefName": "panel_7", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6e5ca98d-df46-45a1-8014-cf16a3028dc2", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "6e5ca98d-df46-45a1-8014-cf16a3028dc2", + "panelRefName": "panel_8", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "371949ed-d67c-438f-a91a-3875e86edaf8", + "w": 48, + "x": 0, + "y": 60 + }, + "panelIndex": "371949ed-d67c-438f-a91a-3875e86edaf8", + "panelRefName": "panel_9", + "title": "Accounting Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] Accounting", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..82a68304912 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,196 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_Administrative_and_Operational_Audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Administrative_and_Operational_Audit" + } + } + } + ], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "70611ce1-8cc4-4e59-bca1-2f60acd5603f", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "70611ce1-8cc4-4e59-bca1-2f60acd5603f", + "panelRefName": "panel_0", + "title": "Administrative and Operational Audit Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "973be120-1985-476b-939a-b0b82e570d33", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "973be120-1985-476b-939a-b0b82e570d33", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "755e7622-d79b-4ffc-a60f-df3b3dddeb86", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "755e7622-d79b-4ffc-a60f-df3b3dddeb86", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e63be268-5af1-469b-aba7-89d3d43e2d00", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "e63be268-5af1-469b-aba7-89d3d43e2d00", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "09a67f64-cb54-4976-a2a4-3fe6d891a44b", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "09a67f64-cb54-4976-a2a4-3fe6d891a44b", + "panelRefName": "panel_4", + "title": " Distribution of Events by Failure Flag [Logs Cisco ISE]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d18cccfc-3613-4ca0-9a7a-9ff58bf40e7f", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "d18cccfc-3613-4ca0-9a7a-9ff58bf40e7f", + "panelRefName": "panel_5", + "type": "visualization", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] Administrative and Operational Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9", + "name": "panel_5", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..d964b2a8d08 --- /dev/null +++ b/packages/cisco_ise/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5034ffff-f024-4fac-94c2-8aa800dfe04d", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "5034ffff-f024-4fac-94c2-8aa800dfe04d", + "panelRefName": "panel_0", + "title": "Log Stream [Logs Cisco ISE]", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "5864db90-ff57-40e6-b605-b6d86b7fea43", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "5864db90-ff57-40e6-b605-b6d86b7fea43", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "06cec002-64bd-4f18-a966-1b6fc2bfd4cf", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "06cec002-64bd-4f18-a966-1b6fc2bfd4cf", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Cisco ISE] Cisco ISE Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json b/packages/cisco_ise/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json new file mode 100644 index 00000000000..c38c4b07585 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.logger.name", + "cisco_ise.log.message.description" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_Internal_Operations_Diagnostics", + "CISE_Threat_Centric_NAC" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Internal_Operations_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Threat_Centric_NAC" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Diagnostics Search 1" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..a15103fcc05 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.category.name", + "cisco_ise.log.message.description" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_AD_Connector", + "CISE_Authentication_Flow_Diagnostics", + "CISE_Guest", + "CISE_Identity_Stores_Diagnostics", + "CISE_MyDevices", + "CISE_RADIUS_Diagnostics", + "CISE_Policy_Diagnostics" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_AD_Connector" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Authentication_Flow_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Guest" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Identity_Stores_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_MyDevices" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_RADIUS_Diagnostics" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Policy_Diagnostics" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AAA Diagnostics search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..b34ae89ceb4 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.operation.id", + "cisco_ise.log.operation.status", + "cisco_ise.log.operation.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_Posture_and_Client_Provisioning_Audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Posture_and_Client_Provisioning_Audit" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Posture and Client Provisioning Audit search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..ca5a8645180 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "log.syslog.priority", + "event.original", + "cisco_ise.log.category.name", + "log.level" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Cisco ISE Search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..34011c297ee --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "cisco_ise.log.operation_message.text" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_Administrative_and_Operational_Audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Administrative_and_Operational_Audit" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [], + "title": "Administrative and Operational Audit" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..44004def1e4 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "cisco_ise.log.operation_message.text", + "cisco_ise.log.message.description", + "cisco_ise.log.category.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_Failed_Attempts", + "CISE_Passed_Authentications" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Failed_Attempts" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Passed_Authentications" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AAA Audit search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..54ebfc78fc0 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.adapter_instance.name", + "cisco_ise.log.status", + "cisco_ise.log.connectivity" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": { + "query": "CISE_Threat_Centric_NAC" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_Threat_Centric_NAC" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Diagnostics search 2" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..dc5d1449c90 --- /dev/null +++ b/packages/cisco_ise/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "cisco_ise.log.category.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_ise.log.category.name", + "negate": false, + "params": [ + "CISE_RADIUS_Accounting", + "CISE_TACACS_Accounting" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_RADIUS_Accounting" + } + }, + { + "match_phrase": { + "cisco_ise.log.category.name": "CISE_TACACS_Accounting" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Accounting search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..3725291c8a5 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Failed Attempts by Radius Packet Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Radius Packet Type", + "field": "cisco_ise.log.radius_packet.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Distribution of Failed Attempts by Radius Packet Type [Logs Cisco ISE]", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..1510a47a1e6 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Network Device Profile for TACACS Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Network Device Profile ", + "field": "cisco_ise.log.network.device.profile", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Network Device Profile for TACACS Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..1e1f32c7be9 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Authentication Method [Logs Cisco ISE]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Authentication Method", + "field": "cisco_ise.log.authentication.method", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Authentication Method [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..a180b3f6ca5 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Service for TACACS Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Service Name", + "field": "cisco_ise.log.service.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Service for TACACS Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..39b654ccbd4 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Controls [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "cisco_ise.log.category.name", + "id": "1646939756945", + "indexPatternRefName": "control_0_index_pattern", + "label": "Log Category", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "log.level", + "id": "1646939807026", + "indexPatternRefName": "control_1_index_pattern", + "label": "Log Severity", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 10, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "Controls [Logs Cisco ISE]", + "type": "input_control_vis" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..28376e6828a --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by NAS Port Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "NAS Port Type", + "field": "cisco_ise.log.nas.port.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Distribution of Events by NAS Port Type [Logs Cisco ISE]", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..c19955d0a7d --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**[AAA Audit](\u003c#/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83\u003e)**\n\n**[AAA Diagnostics](\u003c#/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83\u003e)**\n\n**[Accounting](\u003c#/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83\u003e)**\n\n**[Administrative and Operational Audit](\u003c#/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83\u003e)**\n\n**[Posture and Client Provisioning Audit](\u003c#/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83\u003e)**\n\n**[System Diagnostics](\u003c#/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83\u003e)**\n\n**[System Statistics](\u003c#/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83\u003e)**\n\n", + "openLinksInNewTab": true + }, + "title": "Dashboards", + "type": "markdown" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..2405fb61a29 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Admin Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Admin Name", + "field": "client.user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Admin Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..9448a27b9f1 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Operation Status [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Operation Status", + "field": "cisco_ise.log.operation.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Operation Status [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..8c34cbe9d1d --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Model Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Model Name", + "field": "cisco_ise.log.model.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Model Name [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..faaf2cd7b10 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Operation Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Operation Type", + "field": "cisco_ise.log.operation.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Operation Type [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..d8385f1b6d9 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Network Device Profile Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Network Device Profile Name", + "field": "cisco_ise.log.network.device.profile_name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Network Device Profile Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..dfecdba0916 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Portals Used [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Portal Name", + "field": "cisco_ise.log.portal.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Portals Used [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..91b26557de8 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Adapter Instance Name for Threat Centric NAC [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Adapter Instance Name", + "field": "cisco_ise.log.adapter_instance.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Adapter Instance Name for Threat Centric NAC [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..1845b25e14a --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "CPU Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "" + }, + "id": "da582c56-5800-465a-a7e7-b2f0ab6df619", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "e6d7aa64-0073-4cf0-a69a-8eb06867f465", + "label": "CPU Utilization ", + "line_width": 1, + "metrics": [ + { + "field": "cisco_ise.log.sysstats.utilization.cpu", + "id": "cf165805-c812-4988-9c1a-ea442e767edc", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "CPU Utilization Over Time [Logs Cisco ISE]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..525b268b6aa --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Memory Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "eb6e177b-8e7e-4d71-ac31-db9346ccb88b", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "b1c76318-e21a-4547-979f-45ab45e40dd6", + "label": "Memory Utilization", + "line_width": 1, + "metrics": [ + { + "field": "cisco_ise.log.sysstats.utilization.memory", + "id": "3ee7cec2-d8fd-4601-8b57-40922cddfc56", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Memory Utilization Over Time [Logs Cisco ISE]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..672b753011c --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Disk IO Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "ea254bb6-fa55-42c5-b3d6-39127b9d0901", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "18a38b8f-685b-4dce-b54a-d18a9b013d1d", + "label": "Disk IO Utilization", + "line_width": 1, + "metrics": [ + { + "field": "cisco_ise.log.sysstats.utilization.disk.io", + "id": "8d17df3d-e242-4871-b5f0-60a358e23361", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Disk IO Utilization Over Time [Logs Cisco ISE]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..3c61a3483df --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Threat Centric NAC by Connectivity [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Connectivity", + "field": "cisco_ise.log.connectivity", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Threat Centric NAC by Connectivity [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..94daf2ccf6a --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Utilization Load Average Over Time [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "3ec57505-d66e-4bb7-b331-42eb113c6268", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "fb9524f8-52cd-4bb1-9a96-90a0a600d3f6", + "label": "Utilization load average ", + "line_width": 1, + "metrics": [ + { + "field": "cisco_ise.log.sysstats.utilization.load_avg", + "id": "3ce8aa40-c99c-4760-9449-9a4e14cfe06d", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "terms_field": null, + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Utilization Load Average Over Time [Logs Cisco ISE]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..c1517a10177 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User Name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..d4b499147bf --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Logger Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Logger Name", + "field": "cisco_ise.log.logger.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Logger Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..7d3a959f903 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Threat Centric NAC by Status [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Status", + "field": "cisco_ise.log.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Threat Centric NAC by Status [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..dd645a73d77 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 AD IP Address for AD Connector [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AD IP Address", + "field": "cisco_ise.log.ad.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 AD IP Address for AD Connector [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..2ab128e935b --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Device IP [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device IP Address", + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Device IP [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..1a88e77b5bc --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 IP Address For AAA Diagnostics [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source IP Address", + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 IP Address For AAA Diagnostics [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..9a1fbbabfe1 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Authentication Method for AAA Diagnostics [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Authentication Method", + "field": "cisco_ise.log.authentication.method", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Distribution of Events by Authentication Method for AAA Diagnostics [Logs Cisco ISE]", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..bd6d2b40c41 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Admin Interface [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Admin Interface", + "field": "cisco_ise.log.admin.interface", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Distribution of Events by Admin Interface [Logs Cisco ISE]", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..93993647c4f --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Client IP for Administrative and Operational Audit [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Client IP", + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Client IP for Administrative and Operational Audit [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..40d87999d27 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Current ID Store Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Current ID Store Name", + "field": "cisco_ise.log.currentid.store_name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Distribution of Events by Current ID Store Name [Logs Cisco ISE]", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..b33b95d3b2c --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by User Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User Type", + "field": "cisco_ise.log.user.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by User Type [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..bdfc776b633 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Selected Access Service [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Selected Access Service", + "field": "cisco_ise.log.selected.access.service", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Selected Access Service [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..e99a4350366 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Object Type [Logs Cisco ISE]", + "uiStateJSON": { + "table": null, + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Object Type", + "field": "cisco_ise.log.object.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Object Type [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..cc0dc8740a8 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Authentication Identity Store [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Authentication Identity Store", + "field": "cisco_ise.log.authentication.identity_store", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Authentication Identity Store [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..e490bc47282 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Radius Diagnostics by EAP Authentication [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "EAP Authentication", + "field": "cisco_ise.log.eap.authentication", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Radius Diagnostics by EAP Authentication [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..b0a45277f32 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Radius Diagnostics by EAP Tunnel [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "EAP Tunnel", + "field": "cisco_ise.log.eap.tunnel", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Radius Diagnostics by EAP Tunnel [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..cd2b7ee74b4 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Portal Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Portal Name", + "field": "cisco_ise.log.portal.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Portal Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..bebf9363400 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Failure Flag [Logs Cisco ISE]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Failure Flag", + "field": "cisco_ise.log.failure.flag", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Failure Flag [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json b/packages/cisco_ise/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json new file mode 100644 index 00000000000..336ca593bab --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Admin Name [Logs Cisco ISE]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Admin Name", + "field": "client.user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Admin Name [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..31c5b04a296 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Guest User Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Guest User Name", + "field": "cisco_ise.log.guest.user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Guest User Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..14acc536067 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Device Name for My Devices [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device Name", + "field": "cisco_ise.log.device.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Device Name for My Devices [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..b36d0f7726f --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Policy Diagnostics by Policy Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Policy Type", + "field": "cisco_ise.log.policy.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Policy Diagnostics by Policy Type [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..c6f8a5a2dd8 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 NAS IP Address for Radius Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "NAS IP Address", + "field": "cisco_ise.log.nas.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 NAS IP Address for Radius Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..717352e568b --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of AD Connector Events by AD Hostname [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AD Hostname", + "field": "cisco_ise.log.ad.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of AD Connector Events by AD Hostname [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..7568d223738 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Radius Accounting by NAS Port Type [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "NAS Port Type", + "field": "cisco_ise.log.nas.port.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Radius Accounting by NAS Port Type [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..13dad2d27c3 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Radius Accounting by Accounting Terminate Cause [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Accounting Terminate Cause", + "field": "cisco_ise.log.acct.terminate_cause", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Radius Accounting by Accounting Terminate Cause [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..231252df1cf --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Device IP Address [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device IP Address", + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Device IP Address [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..cb3adacde0f --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Device IP Address for Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device IP Address", + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Device IP Address for Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..78301070676 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Protocol [Logs Cisco ISE]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Protocol", + "field": "network.protocol", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Protocol [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..2cc417aa02c --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Network Device Name for Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Network Device Name", + "field": "cisco_ise.log.network.device.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Network Device Name for Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..0863e10dee1 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 Network Device Names [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Network Device Name", + "field": "cisco_ise.log.network.device.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 Network Device Names [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..610872dfbe3 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 User Name for Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User Name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 User Name for Accounting [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..f94ea82be40 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User Name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "type": "table" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100644 index 00000000000..dd80bd9bec2 --- /dev/null +++ b/packages/cisco_ise/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"cisco_ise.log\" " + } + } + }, + "title": "Distribution of Events by Selected Access Service for Accounting [Logs Cisco ISE]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Selected Access Service", + "field": "cisco_ise.log.selected.access.service", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "Distribution of Events by Selected Access Service for Accounting [Logs Cisco ISE]", + "type": "pie" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml new file mode 100644 index 00000000000..17b83743aae --- /dev/null +++ b/packages/cisco_ise/manifest.yml @@ -0,0 +1,98 @@ +format_version: 1.0.0 +name: cisco_ise +title: Cisco ISE +version: 0.1.0 +license: basic +description: Collect logs from Cisco ISE with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cisco-ise-screenshot.png + title: Cisco ISE dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/cisco-ise-logo.svg + title: Cisco ISE logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Cisco ISE + title: Cisco_ISE logs + description: Collect cisco_ise logs + inputs: + - type: tcp + title: Collect Cisco ISE logs via TCP input + description: Collecting Cisco ISE logs via TCP input + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9025 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: udp + title: Collect Cisco ISE logs via UDP input + description: Collecting Cisco ISE logs via UDP input + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9026 +owner: + github: elastic/security-external-integrations diff --git a/packages/cloud_security_posture/_dev/deploy/k8s/.empty b/packages/cloud_security_posture/_dev/deploy/k8s/.empty new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml new file mode 100644 index 00000000000..ef61ac2fcac --- /dev/null +++ b/packages/cloud_security_posture/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3113 diff --git a/packages/cloud_security_posture/data_stream/findings/agent/stream/stream.yml.hbs b/packages/cloud_security_posture/data_stream/findings/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..6b3ea6de9ff --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/agent/stream/stream.yml.hbs @@ -0,0 +1,2 @@ +processors: + - add_cluster_id: ~ diff --git a/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cloud_security_posture/data_stream/findings/fields/findings.yml b/packages/cloud_security_posture/data_stream/findings/fields/findings.yml new file mode 100644 index 00000000000..f21b3aa8de6 --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/fields/findings.yml @@ -0,0 +1,81 @@ +- name: cycle_id + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: type + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: resource_id + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: cluster_id + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: agent + type: group + fields: + - name: id + type: text + description: Agent ID + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: resource + type: group + fields: + - name: type + type: text + description: Source type of the resource + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 + - name: filename + type: text + description: Resource filename + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: rule + type: group + fields: + - name: name + type: keyword + description: Rule name + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 + - name: benchmark + type: group + fields: + - name: name + type: text + description: Benchmark name + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 +- name: result + type: group + fields: + - name: evaluation + type: text + description: Rule result + multi_fields: + - name: keyword + type: keyword + ignore_above: 1024 diff --git a/packages/cloud_security_posture/data_stream/findings/manifest.yml b/packages/cloud_security_posture/data_stream/findings/manifest.yml new file mode 100644 index 00000000000..7884911b1a1 --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/manifest.yml @@ -0,0 +1,6 @@ +title: "Findings" +type: logs +streams: + - input: cloudbeat + title: K8s CIS Compliance + description: Check CIS Benchmark compliance diff --git a/packages/cloud_security_posture/docs/README.md b/packages/cloud_security_posture/docs/README.md new file mode 100644 index 00000000000..9134a8a0f98 --- /dev/null +++ b/packages/cloud_security_posture/docs/README.md @@ -0,0 +1,28 @@ +# CIS Kubernetes Benchmark + +This integration compares [Kubernetes](https://kubernetes.io/) configuration against CIS benchmark checks. It computes a score that ranges between 0 - 100. This integration requires access to node files, node processes, and the Kuberenetes api-server therefore it assumes the agent will be installed as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) with the proper [Roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) and [RoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) attached. + +See agent [installation instructions](https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html). + +Additionally, In order for the integration to be installed, The Cloud Security Posture Kibana plugin must be enabled. + +This could be done by adding the following configuration line to `kibana.yml`: +``` +xpack.cloudSecurityPosture.enabled: true +``` + +## Leader election + +To collect cluster level data (compared to node level information) the integration makes use of the [leader election](https://www.elastic.co/guide/en/fleet/master/kubernetes_leaderelection-provider.html) mechanism. +This mechanism assures that the cluster level data is collected by only one of the agents running as aprt of the DeamonSet and not by all of them. + +Cluster level data example: List of the running pods. +Node level data examle: kubelet configuration. + +## Compatibility + +The Kubernetes package is tested with Kubernetes 1.21.x + +## Dashboard + +CIS Kubernetes Benchmark integration is shipped including default dashboards and screens to manage the benchmark rules and inspect the compliance score and findings. diff --git a/packages/cloud_security_posture/img/benchmarks.png b/packages/cloud_security_posture/img/benchmarks.png new file mode 100644 index 00000000000..a86a0ec483e Binary files /dev/null and b/packages/cloud_security_posture/img/benchmarks.png differ diff --git a/packages/cloud_security_posture/img/cis-kubernetes-benchmark-logo.svg b/packages/cloud_security_posture/img/cis-kubernetes-benchmark-logo.svg new file mode 100644 index 00000000000..7f3e86f5482 --- /dev/null +++ b/packages/cloud_security_posture/img/cis-kubernetes-benchmark-logo.svg @@ -0,0 +1 @@ + diff --git a/packages/cloud_security_posture/img/dashboard.png b/packages/cloud_security_posture/img/dashboard.png new file mode 100644 index 00000000000..0502f3fe3f2 Binary files /dev/null and b/packages/cloud_security_posture/img/dashboard.png differ diff --git a/packages/cloud_security_posture/img/findings-flyout.png b/packages/cloud_security_posture/img/findings-flyout.png new file mode 100644 index 00000000000..e1daa72501d Binary files /dev/null and b/packages/cloud_security_posture/img/findings-flyout.png differ diff --git a/packages/cloud_security_posture/img/findings.png b/packages/cloud_security_posture/img/findings.png new file mode 100644 index 00000000000..6aeaf1e4299 Binary files /dev/null and b/packages/cloud_security_posture/img/findings.png differ diff --git a/packages/cloud_security_posture/img/rules.png b/packages/cloud_security_posture/img/rules.png new file mode 100644 index 00000000000..ea86ba845e2 Binary files /dev/null and b/packages/cloud_security_posture/img/rules.png differ diff --git a/packages/cloud_security_posture/kibana/index_pattern/cloud_security_posture-9129a080-7f48-11ec-8249-431333f83c5f.json b/packages/cloud_security_posture/kibana/index_pattern/cloud_security_posture-9129a080-7f48-11ec-8249-431333f83c5f.json new file mode 100644 index 00000000000..cd2d45a61df --- /dev/null +++ b/packages/cloud_security_posture/kibana/index_pattern/cloud_security_posture-9129a080-7f48-11ec-8249-431333f83c5f.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "description": "", + "title": "logs-cloud_security_posture.findings-*" + }, + "coreMigrationVersion": "8.1.0", + "id": "cloud_security_posture-9129a080-7f48-11ec-8249-431333f83c5f", + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "type": "index-pattern", + "updated_at": "2022-01-27T08:10:19.277Z", + "version": "WzMwNDY5LDFd" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml new file mode 100644 index 00000000000..58d7b863dc5 --- /dev/null +++ b/packages/cloud_security_posture/manifest.yml @@ -0,0 +1,57 @@ +format_version: 1.0.0 +name: cloud_security_posture +title: "CIS Kubernetes Benchmark" +version: 0.0.1 +license: basic +description: "Check Kubernetes cluster compliance with the Kubernetes CIS benchmark." +type: integration +categories: + - containers + - kubernetes +release: experimental +conditions: + kibana.version: "^8.3.0" +screenshots: + - src: /img/dashboard.png + title: Dashboard page + size: 1293x718 + type: image/png + - src: /img/findings.png + title: Findings page + size: 3134x1740 + type: image/png + - src: /img/findings-flyout.png + title: Detailed view of a single finding + size: 3176x1748 + type: image/png + - src: /img/benchmarks.png + title: Benchmarks page + size: 3168x1752 + type: image/png + - src: /img/rules.png + title: Rules page + size: 3160x1708 + type: image/png +icons: + - src: /img/cis-kubernetes-benchmark-logo.svg + title: CIS Kubernetes Benchmark logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: kspm + title: CIS Kubernetes Benchmark + description: Check Kubernetes cluster compliance with the Kubernetes CIS benchmark. + multiple: false + inputs: + - type: cloudbeat + title: Enable CIS Kubernetes Benchmark + description: Collecting findings +vars: + - name: dataYaml + type: yaml + title: Rules Activation Yaml + multi: false + required: false + show_user: false +owner: + github: elastic/cloud-security-posture diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index f828603684c..ad0171aa23f 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.4" + changes: + - description: Move invalid field values + type: bugfix + link: https://github.com/elastic/integrations/pull/3099 - version: "1.2.3" changes: - description: Fix typo in config template for ignoring host enrichment diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-common-config.yml b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-common-config.yml +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json index 82d2fda1aeb..aaaf3deabe5 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json @@ -13,9 +13,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891947350Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "flow" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -82,9 +86,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891951511Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "flow" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -139,9 +147,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891953408Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "flow" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -208,9 +220,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891955258Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "flow" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -286,9 +302,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891957082Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "flow" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -353,9 +373,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891958935Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"67.43.156.13\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "tls" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -460,9 +484,14 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891960832Z", + "category": [ + "file", + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:19.906154+0000\\\",\\\"flow_id\\\":1444203537876422,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"fileinfo\\\",\\\"src_ip\\\":\\\"192.168.1.222\\\",\\\"src_port\\\":47220,\\\"dest_ip\\\":\\\"192.168.100.31\\\",\\\"dest_port\\\":5601,\\\"proto\\\":\\\"TCP\\\",\\\"http\\\":{\\\"hostname\\\":\\\"192.168.100.31\\\",\\\"url\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"http_user_agent\\\":\\\"Mozilla\\\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\\\/537.36 (KHTML, like Gecko) Chrome\\\\/85.0.4183.102 Safari\\\\/537.36\\\",\\\"http_refer\\\":\\\"http:\\\\/\\\\/192.168.100.31:5601\\\\/app\\\\/kibana\\\",\\\"http_method\\\":\\\"POST\\\",\\\"protocol\\\":\\\"HTTP\\\\/1.1\\\",\\\"length\\\":0},\\\"app_proto\\\":\\\"http\\\",\\\"fileinfo\\\":{\\\"filename\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"magic\\\":\\\"ASCII text, with very long lines, with no line terminators\\\",\\\"state\\\":\\\"CLOSED\\\",\\\"md5\\\":\\\"548d03d3e11c009da833e6e59c4adfee\\\",\\\"stored\\\":false,\\\"size\\\":6394,\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":769,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "fileinfo" + "type": [ + "info" + ] }, "fireeye": { "nx": { @@ -563,9 +592,13 @@ "version": "8.0.0" }, "event": { - "ingested": "2022-03-26T18:20:15.891962649Z", + "category": [ + "network" + ], "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "type": "dns" + "type": [ + "info" + ] }, "fireeye": { "nx": { diff --git a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml index 265a574a53d..011d76d056d 100644 --- a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for processing FireEye NX logs processors: - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - set: field: ecs.version value: "8.0.0" @@ -77,6 +74,23 @@ processors: - user_agent: field: user_agent.original ignore_missing: true + + - append: + field: event.category + value: network + if: "['dns', 'flow', 'tls'].contains(ctx?.event?.type)" + - append: + field: event.category + value: [web, network] + if: ctx?.event?.type == 'http' + - append: + field: event.category + value: [file, network] + if: ctx?.event?.type == 'fileinfo' + - set: + field: event.type + value: [info] + # # Normalize protocol names # diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index 494e6622d88..0ab24a7a190 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: fireeye title: "Fireeye" -version: 1.2.3 +version: 1.2.4 license: basic description: "This Elastic integration collects Fireeye NX logs." type: integration diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 77c6fec1a31..b354fb6856c 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.4" + changes: + - description: Fix pagination to prevent skipped events when more than one page is present. + type: bugfix + link: https://github.com/elastic/integrations/pull/3140 - version: "1.3.3" changes: - description: Add documentation for multi-fields diff --git a/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs index 973357f53b1..0f8ae6142e0 100644 --- a/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs index f4cd56a3411..39433017889 100644 --- a/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs index e7db1c71787..d1486b825af 100644 --- a/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs index edcd159d1f7..3d83580dca0 100644 --- a/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs index dd1365492ee..c5e1386ebe3 100644 --- a/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs index 872b3c6f4d9..9c4e11a5fea 100644 --- a/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs @@ -12,7 +12,7 @@ request.timeout: {{http_client_timeout}} request.transforms: - set: target: url.params.startTime - value: "[[.cursor.last_execution_datetime]]" + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' response.split: target: body.items diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index 4b70efeca05..35e8d3b026b 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace Audit Reports -version: 1.3.3 +version: 1.3.4 release: ga description: Collect audit reports from Google Workspaces with Elastic Agent. type: integration diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index e5c960664dc..8ff51621643 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Replace invalid field value type: enhancement - link: https://github.com/elastic/integrations/pull/xxxx + link: https://github.com/elastic/integrations/pull/3095 - version: "1.4.2" changes: - description: Add documentation for multi-fields diff --git a/packages/osquery_manager/changelog.yml b/packages/osquery_manager/changelog.yml index 434ab0ae71e..952eea523a9 100644 --- a/packages/osquery_manager/changelog.yml +++ b/packages/osquery_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Update readme to remove exported fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3093 - version: "1.2.0" changes: - description: Add packs and dashboards diff --git a/packages/osquery_manager/docs/README.md b/packages/osquery_manager/docs/README.md index b8e82235645..00ff146e20b 100644 --- a/packages/osquery_manager/docs/README.md +++ b/packages/osquery_manager/docs/README.md @@ -16,2527 +16,4 @@ For information about using Osquery, see the [Osquery Kibana documentation](http This includes information about required privileges; how to run, schedule, and save queries; how to map osquery fields to ECS; and other useful information about managing Osquery with this integration. ## Exported Fields -This section describes the fields that can be returned in osquery results. Note the following about osquery fields: -- Some fields list multiple descriptions because the one that applies depends on which table was queried. For example, a result stored in the `osquery.autoupdate` field may represent a response from the `firefox_addons` table or the `windows_security_center` table. -- In the cases where a field name is associated with more than one osquery table, we have made a best guess at what the data `type` should be. In the cases where it is unknown, the data type is set as a keyword object. - -For more information about osquery tables, see the [osquery schema documentation](https://osquery.io/schema/). - - -| Field | Description | Type | -|---|---|---| -| **@timestamp** | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| **UUID** | **system_extensions.UUID** - Extension unique id | keyword, text.text | -| **abi** | **elf_info.abi** - Section type | keyword, text.text | -| **abi_version** | **elf_info.abi_version** - Section virtual address in memory | keyword, number.long | -| **access** | **ntfs_acl_permissions.access** - Specific permissions that indicate the rights described by the ACE. | keyword, text.text | -| **accessed_directories** | **prefetch.accessed_directories** - Directories accessed by application within ten seconds of launch. | keyword, text.text | -| **accessed_directories_count** | **prefetch.accessed_directories_count** - Number of directories accessed. | keyword, number.long | -| **accessed_files** | **prefetch.accessed_files** - Files accessed by application within ten seconds of launch. | keyword, text.text | -| **accessed_files_count** | **prefetch.accessed_files_count** - Number of files accessed. | keyword, number.long | -| **accessed_time** | **shellbags.accessed_time** - Directory Accessed time. | keyword, number.long | -| **account_id** | **ec2_instance_metadata.account_id** - AWS account ID which owns this EC2 instance | keyword, text.text | -| **action** | **disk_events.action** - Appear or disappear | keyword, text.text | -| | **example.action** - Action performed in generation | | -| | **file_events.action** - Change action (UPDATE, REMOVE, etc) | | -| | **hardware_events.action** - Remove, insert, change properties, etc | | -| | **ntfs_journal_events.action** - Change action (Write, Delete, etc) | | -| | **scheduled_tasks.action** - Actions executed by the scheduled task | | -| | **socket_events.action** - The socket action (bind, listen, close) | | -| | **windows_firewall_rules.action** - Action for the rule or default setting | | -| | **yara_events.action** - Change action (UPDATE, REMOVE, etc) | | -| **activated** | **tpm_info.activated** - TPM is activated | keyword, number.long | -| **active** | **firefox_addons.active** - 1 If the addon is active else 0 | keyword, number.long | -| | **memory_info.active** - The total amount of buffer or page cache memory, in bytes, that is in active use | | -| | **osquery_events.active** - 1 if the publisher or subscriber is active else 0 | | -| | **osquery_packs.active** - Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0. | | -| | **osquery_registry.active** - 1 If this plugin is active else 0 | | -| | **virtual_memory_info.active** - Total number of active pages. | | -| **active_disks** | **md_devices.active_disks** - Number of active disks in array | keyword, number.long | -| **active_state** | **systemd_units.active_state** - The high-level unit activation state, i.e. generalization of SUB | keyword, text.text | -| **actual** | **fan_speed_sensors.actual** - Actual speed | keyword, number.long | -| **additional_product_id** | **smart_drive_info.additional_product_id** - An additional drive identifier if any | keyword, text.text | -| **addr** | **elf_symbols.addr** - Symbol address (value) | keyword, number.long | -| **address** | **arp_cache.address** - IPv4 address target | keyword, text.text | -| | **dns_resolvers.address** - Resolver IP/IPv6 address | | -| | **etc_hosts.address** - IP address mapping | | -| | **fbsd_kmods.address** - Kernel module address | | -| | **interface_addresses.address** - Specific address for interface | | -| | **kernel_modules.address** - Kernel module address | | -| | **listening_ports.address** - Specific address for bind | | -| | **platform_info.address** - Relative address of firmware mapping | | -| | **user_events.address** - The Internet protocol address or family ID | | -| **address_width** | **cpu_info.address_width** - The width of the CPU address bus. | keyword, text.text | -| **algorithm** | **authorized_keys.algorithm** - algorithm of key | keyword, text.text | -| **alias** | **etc_protocols.alias** - Protocol alias | keyword, text.text | -| | **time_machine_destinations.alias** - Human readable name of drive | | -| **aliases** | **etc_services.aliases** - Optional space separated list of other names for a service | keyword, text.text | -| | **lxd_images.aliases** - Comma-separated list of image aliases | | -| **align** | **elf_sections.align** - Segment alignment | keyword, number.long | -| | **elf_segments.align** - Segment alignment | | -| **allow_maximum** | **shared_resources.allow_maximum** - Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored. | keyword, number.long | -| **allow_root** | **authorizations.allow_root** - Label top-level key | keyword, text.text | -| **allow_signed_enabled** | **alf.allow_signed_enabled** - 1 If allow signed mode is enabled else 0 | keyword, number.long | -| **ami_id** | **ec2_instance_metadata.ami_id** - AMI ID used to launch this EC2 instance | keyword, text.text | -| **amperage** | **battery.amperage** - The battery's current amperage in mA | keyword, number.long | -| **anonymous** | **virtual_memory_info.anonymous** - Total number of anonymous pages. | keyword, number.long | -| **antispyware** | **windows_security_center.antispyware** - Deprecated (always 'Good'). | keyword, text.text | -| **antivirus** | **windows_security_center.antivirus** - The health of the monitored Antivirus solution (see windows_security_products) | keyword, text.text | -| **api_version** | **docker_version.api_version** - API version | keyword, text.text | -| **app_name** | **windows_firewall_rules.app_name** - Friendly name of the application to which the rule applies | keyword, text.text | -| **apparmor** | **apparmor_events.apparmor** - Apparmor Status like ALLOWED, DENIED etc. | keyword, text.text | -| **applescript_enabled** | **apps.applescript_enabled** - Info properties NSAppleScriptEnabled label | keyword, text.text | -| **application** | **office_mru.application** - Associated Office application | keyword, text.text | -| **arch** | **deb_packages.arch** - Package architecture | keyword, text.text | -| | **docker_version.arch** - Hardware architecture | | -| | **os_version.arch** - OS Architecture | | -| | **pkg_packages.arch** - Architecture(s) supported | | -| | **rpm_packages.arch** - Architecture(s) supported | | -| | **seccomp_events.arch** - Information about the CPU architecture | | -| | **signature.arch** - If applicable, the arch of the signed code | | -| **architecture** | **docker_info.architecture** - Hardware architecture | keyword, text.text | -| | **ec2_instance_metadata.architecture** - Hardware architecture of this EC2 instance | | -| | **lxd_images.architecture** - Target architecture for the image | | -| | **lxd_instances.architecture** - Instance architecture | | -| **architectures** | **apt_sources.architectures** - Repository architectures | keyword, text.text | -| **args** | **startup_items.args** - Arguments provided to startup executable | keyword, text.text | -| **arguments** | **kernel_info.arguments** - Kernel arguments | keyword, text.text | -| **array_handle** | **memory_devices.array_handle** - The memory array that the device is attached to | keyword, text.text | -| **assessments_enabled** | **gatekeeper.assessments_enabled** - 1 If a Gatekeeper is enabled else 0 | keyword, number.long | -| **asset_tag** | **memory_devices.asset_tag** - Manufacturer specific asset tag of memory device | keyword, text.text | -| **ata_version** | **smart_drive_info.ata_version** - ATA version of drive | keyword, text.text | -| **atime** | **device_file.atime** - Last access time | keyword, number.long | -| | **file.atime** - Last access time | | -| | **file_events.atime** - Last access time | | -| | **process_events.atime** - File last access in UNIX time | | -| | **shared_memory.atime** - Attached time | | -| **attach** | **apparmor_profiles.attach** - Which executable(s) a profile will attach to. | keyword, text.text | -| **attached** | **shared_memory.attached** - Number of attached processes | keyword, number.long | -| **attributes** | **file.attributes** - File attrib string. See: https://ss64.com/nt/attrib.html | keyword, text.text | -| **audible_alarm** | **chassis_info.audible_alarm** - If TRUE, the frame is equipped with an audible alarm. | keyword, text.text | -| **auid** | **process_events.auid** - Audit User ID at process start | keyword | -| | **process_file_events.auid** - Audit user ID of the process using the file | | -| | **seccomp_events.auid** - Audit user ID (loginuid) of the user who started the analyzed process | | -| | **socket_events.auid** - Audit User ID | | -| | **user_events.auid** - Audit User ID | | -| **authenticate_user** | **authorizations.authenticate_user** - Label top-level key | keyword, text.text | -| **authentication_package** | **logon_sessions.authentication_package** - The authentication package used to authenticate the owner of the logon session. | keyword, text.text | -| **author** | **chocolatey_packages.author** - Optional package author | keyword, text.text | -| | **chrome_extensions.author** - Optional extension author | | -| | **npm_packages.author** - Package author name | | -| | **python_packages.author** - Optional package author | | -| | **safari_extensions.author** - Optional extension author | | -| **authority** | **signature.authority** - Certificate Common Name | keyword, text.text | -| **authority_key_id** | **certificates.authority_key_id** - AKID an optionally included SHA1 | keyword, text.text | -| **authority_key_identifier** | **curl_certificate.authority_key_identifier** - Authority Key Identifier | keyword, text.text | -| **authorizations** | **keychain_acls.authorizations** - A space delimited set of authorization attributes | keyword, text.text | -| **auto_login** | **wifi_networks.auto_login** - 1 if auto login is enabled, 0 otherwise | keyword, number.long | -| **auto_update** | **lxd_images.auto_update** - Whether the image auto-updates (1) or not (0) | keyword, number.long | -| **autoupdate** | **firefox_addons.autoupdate** - 1 If the addon applies background updates else 0 | keyword | -| | **windows_security_center.autoupdate** - The health of the Windows Autoupdate feature | | -| **availability** | **cpu_info.availability** - The availability and status of the CPU. | keyword, text.text | -| **availability_zone** | **ec2_instance_metadata.availability_zone** - Availability zone in which this instance launched | keyword, text.text | -| **average** | **load_average.average** - Load average over the specified period. | keyword, text.text | -| **average_memory** | **osquery_schedule.average_memory** - Average of the bytes of resident memory left allocated after collecting results | keyword, number.long | -| **avg_disk_bytes_per_read** | **physical_disk_performance.avg_disk_bytes_per_read** - Average number of bytes transferred from the disk during read operations | keyword, number.long | -| **avg_disk_bytes_per_write** | **physical_disk_performance.avg_disk_bytes_per_write** - Average number of bytes transferred to the disk during write operations | keyword, number.long | -| **avg_disk_read_queue_length** | **physical_disk_performance.avg_disk_read_queue_length** - Average number of read requests that were queued for the selected disk during the sample interval | keyword, number.long | -| **avg_disk_sec_per_read** | **physical_disk_performance.avg_disk_sec_per_read** - Average time, in seconds, of a read operation of data from the disk | keyword, number.long | -| **avg_disk_sec_per_write** | **physical_disk_performance.avg_disk_sec_per_write** - Average time, in seconds, of a write operation of data to the disk | keyword, number.long | -| **avg_disk_write_queue_length** | **physical_disk_performance.avg_disk_write_queue_length** - Average number of write requests that were queued for the selected disk during the sample interval | keyword, number.long | -| **backup_date** | **time_machine_backups.backup_date** - Backup Date | keyword, number.long | -| **bank_locator** | **memory_devices.bank_locator** - String number of the string that identifies the physically-labeled bank where the memory device is located | keyword, text.text | -| **base64** | **extended_attributes.base64** - 1 if the value is base64 encoded else 0 | keyword, number.long | -| **base_image** | **lxd_instances.base_image** - ID of image used to launch this instance | keyword, text.text | -| **base_uri** | **apt_sources.base_uri** - Repository base URI | keyword, text.text | -| **baseurl** | **yum_sources.baseurl** - Repository base URL | keyword, text.text | -| **basic_constraint** | **curl_certificate.basic_constraint** - Basic Constraints | keyword, text.text | -| **binary_queue** | **carbon_black_info.binary_queue** - Size in bytes of binaries waiting to be sent to Carbon Black server | keyword, number.long | -| **binding** | **elf_symbols.binding** - Binding type | keyword, text.text | -| **bitmap_chunk_size** | **md_devices.bitmap_chunk_size** - Bitmap chunk size | keyword, text.text | -| **bitmap_external_file** | **md_devices.bitmap_external_file** - External referenced bitmap file | keyword, text.text | -| **bitmap_on_mem** | **md_devices.bitmap_on_mem** - Pages allocated in in-memory bitmap, if enabled | keyword, text.text | -| **block** | **ssh_configs.block** - The host or match block | keyword, text.text | -| **block_size** | **block_devices.block_size** - Block size in bytes | keyword, number.long | -| | **device_file.block_size** - Block size of filesystem | | -| | **file.block_size** - Block size of filesystem | | -| **blocks** | **device_partitions.blocks** - Number of blocks | keyword, number.long | -| | **mounts.blocks** - Mounted device used blocks | | -| **blocks_available** | **mounts.blocks_available** - Mounted device available blocks | keyword, number.long | -| **blocks_free** | **mounts.blocks_free** - Mounted device free blocks | keyword, number.long | -| **blocks_size** | **device_partitions.blocks_size** - Byte size of each block | keyword, number.long | -| | **mounts.blocks_size** - Block size in bytes | | -| **bluetooth_sharing** | **sharing_preferences.bluetooth_sharing** - 1 If bluetooth sharing is enabled for any user else 0 | keyword, number.long | -| **board_model** | **system_info.board_model** - Board model | keyword, text.text | -| **board_serial** | **system_info.board_serial** - Board serial number | keyword, text.text | -| **board_vendor** | **system_info.board_vendor** - Board vendor | keyword, text.text | -| **board_version** | **system_info.board_version** - Board version | keyword, text.text | -| **boot_partition** | **logical_drives.boot_partition** - True if Windows booted from this drive. | keyword, number.long | -| **boot_uuid** | **ibridge_info.boot_uuid** - Boot UUID of the iBridge controller | keyword, text.text | -| **bp_microcode_disabled** | **kva_speculative_info.bp_microcode_disabled** - Branch Predictions are disabled due to lack of microcode update. | keyword, number.long | -| **bp_mitigations** | **kva_speculative_info.bp_mitigations** - Branch Prediction mitigations are enabled. | keyword, number.long | -| **bp_system_pol_disabled** | **kva_speculative_info.bp_system_pol_disabled** - Branch Predictions are disabled via system policy. | keyword, number.long | -| **breach_description** | **chassis_info.breach_description** - If provided, gives a more detailed description of a detected security breach. | keyword, text.text | -| **bridge_nf_ip6tables** | **docker_info.bridge_nf_ip6tables** - 1 if bridge netfilter ip6tables is enabled. 0 otherwise | keyword, number.long | -| **bridge_nf_iptables** | **docker_info.bridge_nf_iptables** - 1 if bridge netfilter iptables is enabled. 0 otherwise | keyword, number.long | -| **broadcast** | **interface_addresses.broadcast** - Broadcast address for the interface | keyword, text.text | -| **browser_type** | **chrome_extension_content_scripts.browser_type** - The browser type (Valid values: chrome, chromium, opera, yandex, brave) | keyword, text.text | -| | **chrome_extensions.browser_type** - The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta) | | -| **bsd_flags** | **file.bsd_flags** - The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND | keyword, text.text | -| **bssid** | **wifi_status.bssid** - The current basic service set identifier | keyword, text.text | -| | **wifi_survey.bssid** - The current basic service set identifier | | -| **btime** | **file.btime** - (B)irth or (cr)eate time | keyword, number.long | -| | **process_events.btime** - File creation in UNIX time | | -| **buffers** | **memory_info.buffers** - The amount of physical RAM, in bytes, used for file buffers | keyword, number.long | -| **build** | **os_version.build** - Optional build-specific or variant string | keyword, text.text | -| **build_distro** | **osquery_info.build_distro** - osquery toolkit platform distribution name (os version) | keyword, text.text | -| **build_id** | **sandboxes.build_id** - Sandbox-specific identifier | keyword, text.text | -| **build_number** | **windows_crashes.build_number** - Windows build number of the crashing machine | keyword, number.long | -| **build_platform** | **osquery_info.build_platform** - osquery toolkit build platform | keyword, text.text | -| **build_time** | **docker_version.build_time** - Build time | keyword, text.text | -| | **portage_packages.build_time** - Unix time when package was built | | -| **bundle_executable** | **apps.bundle_executable** - Info properties CFBundleExecutable label | keyword, text.text | -| **bundle_identifier** | **apps.bundle_identifier** - Info properties CFBundleIdentifier label | keyword, text.text | -| | **running_apps.bundle_identifier** - The bundle identifier of the application | | -| **bundle_name** | **apps.bundle_name** - Info properties CFBundleName label | keyword, text.text | -| **bundle_package_type** | **apps.bundle_package_type** - Info properties CFBundlePackageType label | keyword, text.text | -| **bundle_path** | **sandboxes.bundle_path** - Application bundle used by the sandbox | keyword, text.text | -| | **system_extensions.bundle_path** - System extension bundle path | | -| **bundle_short_version** | **apps.bundle_short_version** - Info properties CFBundleShortVersionString label | keyword, text.text | -| **bundle_version** | **apps.bundle_version** - Info properties CFBundleVersion label | keyword, text.text | -| **busy_state** | **iokit_devicetree.busy_state** - 1 if the device is in a busy state else 0 | keyword, number.long | -| | **iokit_registry.busy_state** - 1 if the node is in a busy state else 0 | | -| **bytes** | **curl.bytes** - Number of bytes in the response | keyword, number.long | -| | **iptables.bytes** - Number of matching bytes for this rule. | | -| **bytes_available** | **time_machine_destinations.bytes_available** - Bytes available on volume | keyword, number.long | -| **bytes_received** | **lxd_networks.bytes_received** - Number of bytes received on this network | keyword, number.long | -| **bytes_sent** | **lxd_networks.bytes_sent** - Number of bytes sent on this network | keyword, number.long | -| **bytes_used** | **time_machine_destinations.bytes_used** - Bytes used on volume | keyword, number.long | -| **ca** | **certificates.ca** - 1 if CA: true (certificate is an authority) else 0 | keyword, number.long | -| **cache_path** | **quicklook_cache.cache_path** - Path to cache data | keyword, text.text | -| **cached** | **lxd_images.cached** - Whether image is cached (1) or not (0) | keyword, number.long | -| | **memory_info.cached** - The amount of physical RAM, in bytes, used as cache memory | | -| **capability** | **apparmor_events.capability** - Capability number | keyword, number.long | -| **capname** | **apparmor_events.capname** - Capability requested by the process | keyword, text.text | -| **caption** | **patches.caption** - Short description of the patch. | keyword, text.text | -| | **windows_optional_features.caption** - Caption of feature in settings UI | | -| **captive_portal** | **wifi_networks.captive_portal** - 1 if this network has a captive portal, 0 otherwise | keyword, number.long | -| **carve** | **carves.carve** - Set this value to '1' to start a file carve | keyword, number.long | -| **carve_guid** | **carves.carve_guid** - Identifying value of the carve session | keyword, text.text | -| **category** | **apps.category** - The UTI that categorizes the app for the App Store | keyword, text.text | -| | **file_events.category** - The category of the file defined in the config | | -| | **ntfs_journal_events.category** - The category that the event originated from | | -| | **power_sensors.category** - The sensor category: currents, voltage, wattage | | -| | **system_extensions.category** - System extension category | | -| | **yara_events.category** - The category of the file | | -| **cdhash** | **es_process_events.cdhash** - Codesigning hash of the process | keyword, text.text | -| | **signature.cdhash** - Hash of the application Code Directory | | -| **celsius** | **temperature_sensors.celsius** - Temperature in Celsius | keyword, number.double | -| **certificate** | **lxd_certificates.certificate** - Certificate content | keyword, text.text | -| **cgroup_driver** | **docker_info.cgroup_driver** - Control groups driver | keyword, text.text | -| **cgroup_namespace** | **docker_containers.cgroup_namespace** - cgroup namespace | keyword, text.text | -| | **process_namespaces.cgroup_namespace** - cgroup namespace inode | | -| **chain** | **iptables.chain** - Size of module content. | keyword, text.text | -| **change_type** | **docker_container_fs_changes.change_type** - Type of change: C:Modified, A:Added, D:Deleted | keyword, text.text | -| **channel** | **wifi_status.channel** - Channel number | keyword | -| | **wifi_survey.channel** - Channel number | | -| | **windows_eventlog.channel** - Source or channel of the event | | -| **channel_band** | **wifi_status.channel_band** - Channel band | keyword, number.long | -| | **wifi_survey.channel_band** - Channel band | | -| **channel_width** | **wifi_status.channel_width** - Channel width | keyword, number.long | -| | **wifi_survey.channel_width** - Channel width | | -| **charged** | **battery.charged** - 1 if the battery is currently completely charged. 0 otherwise | keyword, number.long | -| **charging** | **battery.charging** - 1 if the battery is currently being charged by a power source. 0 otherwise | keyword, number.long | -| **chassis_bridge_capability_available** | **lldp_neighbors.chassis_bridge_capability_available** - Chassis bridge capability availability | keyword, number.long | -| **chassis_bridge_capability_enabled** | **lldp_neighbors.chassis_bridge_capability_enabled** - Is chassis bridge capability enabled. | keyword, number.long | -| **chassis_docsis_capability_available** | **lldp_neighbors.chassis_docsis_capability_available** - Chassis DOCSIS capability availability | keyword, number.long | -| **chassis_docsis_capability_enabled** | **lldp_neighbors.chassis_docsis_capability_enabled** - Chassis DOCSIS capability enabled | keyword, number.long | -| **chassis_id** | **lldp_neighbors.chassis_id** - Neighbor chassis ID value | keyword, text.text | -| **chassis_id_type** | **lldp_neighbors.chassis_id_type** - Neighbor chassis ID type | keyword, text.text | -| **chassis_mgmt_ips** | **lldp_neighbors.chassis_mgmt_ips** - Comma delimited list of chassis management IPS | keyword, text.text | -| **chassis_other_capability_available** | **lldp_neighbors.chassis_other_capability_available** - Chassis other capability availability | keyword, number.long | -| **chassis_other_capability_enabled** | **lldp_neighbors.chassis_other_capability_enabled** - Chassis other capability enabled | keyword, number.long | -| **chassis_repeater_capability_available** | **lldp_neighbors.chassis_repeater_capability_available** - Chassis repeater capability availability | keyword, number.long | -| **chassis_repeater_capability_enabled** | **lldp_neighbors.chassis_repeater_capability_enabled** - Chassis repeater capability enabled | keyword, number.long | -| **chassis_router_capability_available** | **lldp_neighbors.chassis_router_capability_available** - Chassis router capability availability | keyword, number.long | -| **chassis_router_capability_enabled** | **lldp_neighbors.chassis_router_capability_enabled** - Chassis router capability enabled | keyword, number.long | -| **chassis_station_capability_available** | **lldp_neighbors.chassis_station_capability_available** - Chassis station capability availability | keyword, number.long | -| **chassis_station_capability_enabled** | **lldp_neighbors.chassis_station_capability_enabled** - Chassis station capability enabled | keyword, number.long | -| **chassis_sys_description** | **lldp_neighbors.chassis_sys_description** - Max number of CPU physical cores | keyword, number.long | -| **chassis_sysname** | **lldp_neighbors.chassis_sysname** - CPU brand string, contains vendor and model | keyword, text.text | -| **chassis_tel_capability_available** | **lldp_neighbors.chassis_tel_capability_available** - Chassis telephone capability availability | keyword, number.long | -| **chassis_tel_capability_enabled** | **lldp_neighbors.chassis_tel_capability_enabled** - Chassis telephone capability enabled | keyword, number.long | -| **chassis_types** | **chassis_info.chassis_types** - A comma-separated list of chassis types, such as Desktop or Laptop. | keyword, text.text | -| **chassis_wlan_capability_available** | **lldp_neighbors.chassis_wlan_capability_available** - Chassis wlan capability availability | keyword, number.long | -| **chassis_wlan_capability_enabled** | **lldp_neighbors.chassis_wlan_capability_enabled** - Chassis wlan capability enabled | keyword, number.long | -| **check_array_finish** | **md_devices.check_array_finish** - Estimated duration of the check array activity | keyword, text.text | -| **check_array_progress** | **md_devices.check_array_progress** - Progress of the check array activity | keyword, text.text | -| **check_array_speed** | **md_devices.check_array_speed** - Speed of the check array activity | keyword, text.text | -| **checksum** | **disk_events.checksum** - UDIF Master checksum if available (CRC32) | keyword, text.text | -| **child_pid** | **es_process_events.child_pid** - Process ID of a child process in case of a fork event | keyword, number.long | -| **chunk_size** | **md_devices.chunk_size** - chunk size in bytes | keyword, number.long | -| **cid** | **bpf_process_events.cid** - Cgroup ID | keyword, number.long | -| | **bpf_socket_events.cid** - Cgroup ID | | -| **class** | **authorizations.class** - Label top-level key | keyword, text.text | -| | **drivers.class** - Device/driver class name | | -| | **elf_dynamic.class** - Class (32 or 64) | | -| | **elf_info.class** - Class type, 32 or 64bit | | -| | **iokit_devicetree.class** - Best matching device class (most-specific category) | | -| | **iokit_registry.class** - Best matching device class (most-specific category) | | -| | **usb_devices.class** - USB Device class | | -| | **wmi_cli_event_consumers.class** - The name of the class. | | -| | **wmi_event_filters.class** - The name of the class. | | -| | **wmi_filter_consumer_binding.class** - The name of the class. | | -| | **wmi_script_event_consumers.class** - The name of the class. | | -| **client_site_name** | **ntdomains.client_site_name** - The name of the site where the domain controller is configured. | keyword, text.text | -| **cmdline** | **bpf_process_events.cmdline** - Command line arguments | keyword, text.text | -| | **docker_container_processes.cmdline** - Complete argv | | -| | **es_process_events.cmdline** - Command line arguments (argv) | | -| | **process_events.cmdline** - Command line arguments (argv) | | -| | **processes.cmdline** - Complete argv | | -| **cmdline_count** | **es_process_events.cmdline_count** - Number of command line arguments | keyword, number.long | -| **cmdline_size** | **process_events.cmdline_size** - Actual size (bytes) of command line arguments | keyword, number.long | -| **code** | **seccomp_events.code** - The seccomp action | keyword, text.text | -| **code_integrity_policy_enforcement_status** | **hvci_status.code_integrity_policy_enforcement_status** - The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered. | keyword, text.text | -| **codename** | **os_version.codename** - OS version codename | keyword, text.text | -| **collect_cross_processes** | **carbon_black_info.collect_cross_processes** - If the sensor is configured to cross process events | keyword, number.long | -| **collect_data_file_writes** | **carbon_black_info.collect_data_file_writes** - If the sensor is configured to collect non binary file writes | keyword, number.long | -| **collect_emet_events** | **carbon_black_info.collect_emet_events** - If the sensor is configured to EMET events | keyword, number.long | -| **collect_file_mods** | **carbon_black_info.collect_file_mods** - If the sensor is configured to collect file modification events | keyword, number.long | -| **collect_module_info** | **carbon_black_info.collect_module_info** - If the sensor is configured to collect metadata of binaries | keyword, number.long | -| **collect_module_loads** | **carbon_black_info.collect_module_loads** - If the sensor is configured to capture module loads | keyword, number.long | -| **collect_net_conns** | **carbon_black_info.collect_net_conns** - If the sensor is configured to collect network connections | keyword, number.long | -| **collect_process_user_context** | **carbon_black_info.collect_process_user_context** - If the sensor is configured to collect the user running a process | keyword, number.long | -| **collect_processes** | **carbon_black_info.collect_processes** - If the sensor is configured to process events | keyword, number.long | -| **collect_reg_mods** | **carbon_black_info.collect_reg_mods** - If the sensor is configured to collect registry modification events | keyword, number.long | -| **collect_sensor_operations** | **carbon_black_info.collect_sensor_operations** - Unknown | keyword, number.long | -| **collect_store_files** | **carbon_black_info.collect_store_files** - If the sensor is configured to send back binaries to the Carbon Black server | keyword, number.long | -| **collisions** | **interface_details.collisions** - Packet Collisions detected | keyword, number.long | -| **color_depth** | **video_info.color_depth** - The amount of bits per pixel to represent color. | keyword, number.long | -| **comm** | **apparmor_events.comm** - Command-line name of the command that was used to invoke the analyzed process | keyword, text.text | -| | **seccomp_events.comm** - Command-line name of the command that was used to invoke the analyzed process | | -| **command** | **crontab.command** - Raw command string | keyword, text.text | -| | **docker_containers.command** - Command with arguments | | -| | **shell_history.command** - Unparsed date/line/command history line | | -| **command_args** | **shortcut_files.command_args** - Command args passed to lnk file. | keyword, text.text | -| **command_line** | **windows_crashes.command_line** - Command-line string passed to the crashed process | keyword, text.text | -| **command_line_template** | **wmi_cli_event_consumers.command_line_template** - Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line. | keyword, text.text | -| **comment** | **authorizations.comment** - Label top-level key | keyword, text.text | -| | **docker_image_history.comment** - Instruction comment | | -| | **etc_protocols.comment** - Comment with protocol description | | -| | **etc_services.comment** - Optional comment for a service. | | -| | **groups.comment** - Remarks or comments associated with the group | | -| | **keychain_items.comment** - Optional keychain comment | | -| **common_name** | **certificates.common_name** - Certificate CommonName | keyword, text.text | -| | **curl_certificate.common_name** - Common name of company issued to | | -| **common_path** | **shortcut_files.common_path** - Common system path to target file. | keyword, text.text | -| **compat** | **seccomp_events.compat** - Is system call in compatibility mode | keyword, number.long | -| **compiler** | **apps.compiler** - Info properties DTCompiler label | keyword, text.text | -| **completed_time** | **cups_jobs.completed_time** - When the job completed printing | keyword, number.long | -| **components** | **apt_sources.components** - Repository components | keyword, text.text | -| **compressed** | **virtual_memory_info.compressed** - The total number of pages that have been compressed by the VM compressor. | keyword, number.long | -| **compressor** | **virtual_memory_info.compressor** - The number of pages used to store compressed VM pages. | keyword, number.long | -| **computer_name** | **system_info.computer_name** - Friendly computer name (optional) | keyword, text.text | -| | **windows_eventlog.computer_name** - Hostname of system where event was generated | | -| | **windows_events.computer_name** - Hostname of system where event was generated | | -| **condition** | **battery.condition** - One of the following: "Normal" indicates the condition of the battery is within normal tolerances, "Service Needed" indicates that the battery should be checked out by a licensed Mac repair service, "Permanent Failure" indicates the battery needs replacement | keyword, text.text | -| **config_entrypoint** | **docker_containers.config_entrypoint** - Container entrypoint(s) | keyword, text.text | -| **config_flag** | **sip_config.config_flag** - The System Integrity Protection config flag | keyword, text.text | -| **config_hash** | **osquery_info.config_hash** - Hash of the working configuration state | keyword, text.text | -| **config_name** | **carbon_black_info.config_name** - Sensor group | keyword, text.text | -| **config_valid** | **osquery_info.config_valid** - 1 if the config was loaded and considered valid, else 0 | keyword, number.long | -| **config_value** | **system_controls.config_value** - The MIB value set in /etc/sysctl.conf | keyword, text.text | -| **configured_clock_speed** | **memory_devices.configured_clock_speed** - Configured speed of memory device in megatransfers per second (MT/s) | keyword, number.long | -| **configured_voltage** | **memory_devices.configured_voltage** - Configured operating voltage of device in millivolts | keyword, number.long | -| **connection_id** | **interface_details.connection_id** - Name of the network connection as it appears in the Network Connections Control Panel program. | keyword, text.text | -| **connection_status** | **interface_details.connection_status** - State of the network adapter connection to the network. | keyword, text.text | -| **consistency_scan_date** | **time_machine_destinations.consistency_scan_date** - Consistency scan date | keyword, number.long | -| **consumer** | **wmi_filter_consumer_binding.consumer** - Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event. | keyword, text.text | -| **containers** | **docker_info.containers** - Total number of containers | keyword, number.long | -| **containers_paused** | **docker_info.containers_paused** - Number of containers in paused state | keyword, number.long | -| **containers_running** | **docker_info.containers_running** - Number of containers currently running | keyword, number.long | -| **containers_stopped** | **docker_info.containers_stopped** - Number of containers in stopped state | keyword, number.long | -| **content** | **disk_events.content** - Disk event content | keyword, text.text | -| **content_caching** | **sharing_preferences.content_caching** - 1 If content caching is enabled else 0 | keyword, number.long | -| **content_type** | **package_install_history.content_type** - Package content_type (optional) | keyword, text.text | -| **conversion_status** | **bitlocker_info.conversion_status** - The bitlocker conversion status of the drive. | keyword, number.long | -| **coprocessor_version** | **ibridge_info.coprocessor_version** - The manufacturer and chip version | keyword, text.text | -| **copy** | **virtual_memory_info.copy** - Total number of copy-on-write pages. | keyword, number.long | -| **copyright** | **apps.copyright** - Info properties NSHumanReadableCopyright label | keyword, text.text | -| **core** | **cpu_time.core** - Name of the cpu (core) | keyword, number.long | -| **cosine_similarity** | **powershell_events.cosine_similarity** - How similar the Powershell script is to a provided 'normal' character frequency | keyword, number.double | -| **count** | **userassist.count** - Number of times the application has been executed. | keyword, number.long | -| | **yara.count** - Number of YARA matches | | -| | **yara_events.count** - Number of YARA matches | | -| **country_code** | **wifi_status.country_code** - The country code (ISO/IEC 3166-1:1997) for the network | keyword, text.text | -| | **wifi_survey.country_code** - The country code (ISO/IEC 3166-1:1997) for the network | | -| **cpu** | **docker_container_processes.cpu** - CPU utilization as percentage | keyword, number.double | -| **cpu_brand** | **system_info.cpu_brand** - CPU brand string, contains vendor and model | keyword, text.text | -| **cpu_cfs_period** | **docker_info.cpu_cfs_period** - 1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise | keyword, number.long | -| **cpu_cfs_quota** | **docker_info.cpu_cfs_quota** - 1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise | keyword, number.long | -| **cpu_kernelmode_usage** | **docker_container_stats.cpu_kernelmode_usage** - CPU kernel mode usage | keyword, number.long | -| **cpu_logical_cores** | **system_info.cpu_logical_cores** - Number of logical CPU cores available to the system | keyword, number.long | -| **cpu_microcode** | **system_info.cpu_microcode** - Microcode version | keyword, text.text | -| **cpu_physical_cores** | **system_info.cpu_physical_cores** - Number of physical CPU cores in to the system | keyword, number.long | -| **cpu_pred_cmd_supported** | **kva_speculative_info.cpu_pred_cmd_supported** - PRED_CMD MSR supported by CPU Microcode. | keyword, number.long | -| **cpu_set** | **docker_info.cpu_set** - 1 if CPU set selection support is enabled. 0 otherwise | keyword, number.long | -| **cpu_shares** | **docker_info.cpu_shares** - 1 if CPU share weighting support is enabled. 0 otherwise | keyword, number.long | -| **cpu_spec_ctrl_supported** | **kva_speculative_info.cpu_spec_ctrl_supported** - SPEC_CTRL MSR supported by CPU Microcode. | keyword, number.long | -| **cpu_status** | **cpu_info.cpu_status** - The current operating status of the CPU. | keyword, number.long | -| **cpu_subtype** | **processes.cpu_subtype** - Indicates the specific processor on which an entry may be used. | keyword | -| | **system_info.cpu_subtype** - CPU subtype | | -| **cpu_total_usage** | **docker_container_stats.cpu_total_usage** - Total CPU usage | keyword, number.long | -| **cpu_type** | **processes.cpu_type** - Indicates the specific processor designed for installation. | keyword | -| | **system_info.cpu_type** - CPU type | | -| **cpu_usermode_usage** | **docker_container_stats.cpu_usermode_usage** - CPU user mode usage | keyword, number.long | -| **cpus** | **docker_info.cpus** - Number of CPUs | keyword, number.long | -| **crash_path** | **crashes.crash_path** - Location of log file | keyword, text.text | -| | **windows_crashes.crash_path** - Path of the log file | | -| **crashed_thread** | **crashes.crashed_thread** - Thread ID which crashed | keyword, number.long | -| **created** | **authorizations.created** - Label top-level key | keyword, text.text | -| | **docker_containers.created** - Time of creation as UNIX time | | -| | **docker_image_history.created** - Time of creation as UNIX time | | -| | **docker_images.created** - Time of creation as UNIX time | | -| | **docker_networks.created** - Time of creation as UNIX time | | -| | **keychain_items.created** - Data item was created | | -| **created_at** | **lxd_images.created_at** - ISO time of image creation | keyword, text.text | -| | **lxd_instances.created_at** - ISO time of creation | | -| **created_by** | **docker_image_history.created_by** - Created by instruction | keyword, text.text | -| **created_time** | **shellbags.created_time** - Directory Created time. | keyword, number.long | -| **creation_time** | **account_policy_data.creation_time** - When the account was first created | keyword | -| | **cups_jobs.creation_time** - When the print request was initiated | | -| **creator** | **firefox_addons.creator** - Addon-supported creator string | keyword, text.text | -| **creator_pid** | **shared_memory.creator_pid** - Process ID that created the segment | keyword, number.long | -| **creator_uid** | **shared_memory.creator_uid** - User ID of creator process | keyword, number.long | -| **csname** | **patches.csname** - The name of the host the patch is installed on. | keyword, text.text | -| **ctime** | **device_file.ctime** - Creation time | keyword | -| | **file.ctime** - Last status change time | | -| | **file_events.ctime** - Last status change time | | -| | **gatekeeper_approved_apps.ctime** - Last change time | | -| | **process_events.ctime** - File last metadata change in UNIX time | | -| | **shared_memory.ctime** - Changed time | | -| **current_capacity** | **battery.current_capacity** - The battery's current charged capacity in mAh | keyword, number.long | -| **current_clock_speed** | **cpu_info.current_clock_speed** - The current frequency of the CPU. | keyword, number.long | -| **current_directory** | **windows_crashes.current_directory** - Current working directory of the crashed process | keyword, text.text | -| **current_disk_queue_length** | **physical_disk_performance.current_disk_queue_length** - Number of requests outstanding on the disk at the time the performance data is collected | keyword, number.long | -| **current_locale** | **chrome_extensions.current_locale** - Current locale supported by extension | keyword, text.text | -| **current_value** | **system_controls.current_value** - Value of setting | keyword, text.text | -| **cwd** | **bpf_process_events.cwd** - Current working directory | keyword, text.text | -| | **es_process_events.cwd** - The process current working directory | | -| | **process_events.cwd** - The process current working directory | | -| | **process_file_events.cwd** - The current working directory of the process | | -| | **processes.cwd** - Process current working directory | | -| **cycle_count** | **battery.cycle_count** - The number of charge/discharge cycles | keyword, number.long | -| **data** | **magic.data** - Magic number data from libmagic | keyword, text.text | -| | **registry.data** - Data content of registry value | | -| | **windows_eventlog.data** - Data associated with the event | | -| | **windows_events.data** - Data associated with the event | | -| **data_width** | **memory_devices.data_width** - Data width, in bits, of this memory device | keyword, number.long | -| **database** | **lxd_cluster_members.database** - Whether the server is a database node (1) or not (0) | keyword, number.long | -| **date** | **drivers.date** - Driver date | keyword | -| | **platform_info.date** - Self-reported platform code update date | | -| **datetime** | **crashes.datetime** - Date/Time at which the crash occurred | keyword, text.text | -| | **powershell_events.datetime** - System time at which the Powershell script event occurred | | -| | **syslog_events.datetime** - Time known to syslog | | -| | **time.datetime** - Current date and time (ISO format) in UTC | | -| | **windows_crashes.datetime** - Timestamp (log format) of the crash | | -| | **windows_eventlog.datetime** - System time at which the event occurred | | -| | **windows_events.datetime** - System time at which the event occurred | | -| **day** | **time.day** - Current day in UTC | keyword, number.long | -| **day_of_month** | **crontab.day_of_month** - The day of the month for the job | keyword, text.text | -| **day_of_week** | **crontab.day_of_week** - The day of the week for the job | keyword, text.text | -| **days** | **uptime.days** - Days of uptime | keyword, number.long | -| **dc_site_name** | **ntdomains.dc_site_name** - The name of the site where the domain controller is located. | keyword, text.text | -| **decompressed** | **virtual_memory_info.decompressed** - The total number of pages that have been decompressed by the VM compressor. | keyword, number.long | -| **default_locale** | **chrome_extensions.default_locale** - Default locale supported by extension | keyword, text.text | -| **default_value** | **osquery_flags.default_value** - Flag default value | keyword, text.text | -| **denied_mask** | **apparmor_events.denied_mask** - Denied permissions for the process | keyword, text.text | -| **denylisted** | **osquery_schedule.denylisted** - 1 if the query is denylisted else 0 | keyword, number.long | -| **dependencies** | **kernel_panics.dependencies** - Module dependencies existing in crashed module's backtrace | keyword, text.text | -| **depth** | **iokit_devicetree.depth** - Device nested depth | keyword, number.long | -| | **iokit_registry.depth** - Node nested depth | | -| **description** | **appcompat_shims.description** - Description of the SDB. | keyword, text.text | -| | **atom_packages.description** - Package supplied description | | -| | **browser_plugins.description** - Plugin description text | | -| | **chassis_info.description** - An extended description of the chassis if available. | | -| | **chrome_extensions.description** - Extension-optional description | | -| | **disk_info.description** - The OS's description of the disk. | | -| | **drivers.description** - Driver description | | -| | **firefox_addons.description** - Addon-supplied description string | | -| | **interface_details.description** - Short description of the object a one-line string. | | -| | **keychain_acls.description** - The description included with the ACL entry | | -| | **keychain_items.description** - Optional item description | | -| | **logical_drives.description** - The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'. | | -| | **lxd_images.description** - Image description | | -| | **lxd_instances.description** - Instance description | | -| | **npm_packages.description** - Package supplied description | | -| | **osquery_flags.description** - Flag description | | -| | **patches.description** - Fuller description of the patch. | | -| | **safari_extensions.description** - Optional extension description text | | -| | **services.description** - Service Description | | -| | **shared_resources.description** - A textual description of the object | | -| | **shortcut_files.description** - Lnk file description. | | -| | **smbios_tables.description** - Table entry description | | -| | **systemd_units.description** - Unit description | | -| | **users.description** - Optional user description | | -| | **ycloud_instance_metadata.description** - Description of the VM | | -| **designed_capacity** | **battery.designed_capacity** - The battery's designed capacity in mAh | keyword, number.long | -| **dest_path** | **process_file_events.dest_path** - The canonical path associated with the event | keyword, text.text | -| **destination** | **cups_jobs.destination** - The printer the job was sent to | keyword, text.text | -| | **docker_container_mounts.destination** - Destination path inside container | | -| | **routes.destination** - Destination IP address | | -| **destination_id** | **time_machine_backups.destination_id** - Time Machine destination ID | keyword, text.text | -| | **time_machine_destinations.destination_id** - Time Machine destination ID | | -| **dev_id_enabled** | **gatekeeper.dev_id_enabled** - 1 If a Gatekeeper allows execution from identified developers else 0 | keyword, number.long | -| **developer_id** | **safari_extensions.developer_id** - Optional developer identifier | keyword, text.text | -| | **xprotect_meta.developer_id** - Developer identity (SHA1) of extension | | -| **development_region** | **apps.development_region** - Info properties CFBundleDevelopmentRegion label | keyword, text.text | -| | **browser_plugins.development_region** - Plugin language-localization | | -| **device** | **device_file.device** - Absolute file path to device node | keyword, text.text | -| | **device_firmware.device** - The device name | | -| | **device_hash.device** - Absolute file path to device node | | -| | **device_partitions.device** - Absolute file path to device node | | -| | **disk_events.device** - Disk event BSD name | | -| | **file.device** - Device ID (optional) | | -| | **kernel_info.device** - Kernel device identifier | | -| | **lxd_instance_devices.device** - Name of the device | | -| | **mounts.device** - Mounted device | | -| | **process_memory_map.device** - MA:MI Major/minor device ID | | -| **device_alias** | **mounts.device_alias** - Mounted device alias | keyword, text.text | -| **device_error_address** | **memory_error_info.device_error_address** - 32 bit physical address of the error relative to the start of the failing memory address, in bytes | keyword, text.text | -| **device_id** | **bitlocker_info.device_id** - ID of the encrypted drive. | keyword, text.text | -| | **cpu_info.device_id** - The DeviceID of the CPU. | | -| | **drivers.device_id** - Device ID | | -| | **logical_drives.device_id** - The drive id, usually the drive name, e.g., 'C:'. | | -| **device_locator** | **memory_devices.device_locator** - String number of the string that identifies the physically-labeled socket or board position where the memory device is located | keyword, text.text | -| **device_model** | **smart_drive_info.device_model** - Device Model | keyword, text.text | -| **device_name** | **drivers.device_name** - Device name | keyword, text.text | -| | **md_devices.device_name** - md device name | | -| | **smart_drive_info.device_name** - Name of block device | | -| **device_path** | **iokit_devicetree.device_path** - Device tree path | keyword, text.text | -| **device_type** | **lxd_instance_devices.device_type** - Device type | keyword, text.text | -| | **shortcut_files.device_type** - Device containing the target file. | | -| **dhcp_enabled** | **interface_details.dhcp_enabled** - If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection. | keyword, number.long | -| **dhcp_lease_expires** | **interface_details.dhcp_lease_expires** - Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server. | keyword, text.text | -| **dhcp_lease_obtained** | **interface_details.dhcp_lease_obtained** - Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server. | keyword, text.text | -| **dhcp_server** | **interface_details.dhcp_server** - IP address of the dynamic host configuration protocol (DHCP) server. | keyword, text.text | -| **direction** | **windows_firewall_rules.direction** - Direction of traffic for which the rule applies | keyword, text.text | -| **directory** | **extended_attributes.directory** - Directory of file(s) | keyword, text.text | -| | **file.directory** - Directory of file(s) | | -| | **hash.directory** - Must provide a path or directory | | -| | **npm_packages.directory** - Node module's directory where this package is located | | -| | **python_packages.directory** - Directory where Python modules are located | | -| | **users.directory** - User's home directory | | -| **disabled** | **browser_plugins.disabled** - Is the plugin disabled. 1 = Disabled | keyword | -| | **firefox_addons.disabled** - 1 If the addon is application-disabled else 0 | | -| | **launchd.disabled** - Skip loading this daemon or agent on boot | | -| | **wifi_networks.disabled** - 1 if this network is disabled, 0 otherwise | | -| **disc_sharing** | **sharing_preferences.disc_sharing** - 1 If CD or DVD sharing is enabled else 0 | keyword, number.long | -| **disconnected** | **connectivity.disconnected** - True if the all interfaces are not connected to any network | keyword, number.long | -| **discovery_cache_hits** | **osquery_packs.discovery_cache_hits** - The number of times that the discovery query used cached values since the last time the config was reloaded | keyword, number.long | -| **discovery_executions** | **osquery_packs.discovery_executions** - The number of times that the discovery queries have been executed since the last time the config was reloaded | keyword, number.long | -| **disk_bytes_read** | **processes.disk_bytes_read** - Bytes read from disk | keyword, number.long | -| **disk_bytes_written** | **processes.disk_bytes_written** - Bytes written to disk | keyword, number.long | -| **disk_id** | **smart_drive_info.disk_id** - Physical slot number of device, only exists when hardware storage controller exists | keyword, number.long | -| **disk_index** | **disk_info.disk_index** - Physical drive number of the disk. | keyword, number.long | -| **disk_read** | **docker_container_stats.disk_read** - Total disk read bytes | keyword, number.long | -| **disk_size** | **disk_info.disk_size** - Size of the disk. | keyword, number.long | -| **disk_write** | **docker_container_stats.disk_write** - Total disk write bytes | keyword, number.long | -| **display_name** | **apps.display_name** - Info properties CFBundleDisplayName label | keyword, text.text | -| | **services.display_name** - Service Display name | | -| **dns_domain** | **interface_details.dns_domain** - Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'. | keyword, text.text | -| **dns_domain_name** | **logon_sessions.dns_domain_name** - The DNS name for the owner of the logon session. | keyword, text.text | -| **dns_domain_suffix_search_order** | **interface_details.dns_domain_suffix_search_order** - Array of DNS domain suffixes to be appended to the end of host names during name resolution. | keyword, text.text | -| **dns_forest_name** | **ntdomains.dns_forest_name** - The name of the root of the DNS tree. | keyword, text.text | -| **dns_host_name** | **interface_details.dns_host_name** - Host name used to identify the local computer for authentication by some utilities. | keyword, text.text | -| **dns_server_search_order** | **interface_details.dns_server_search_order** - Array of server IP addresses to be used in querying for DNS servers. | keyword, text.text | -| **domain** | **ad_config.domain** - Active Directory trust domain | keyword, text.text | -| | **managed_policies.domain** - System or manager-chosen domain key | | -| | **preferences.domain** - Application ID usually in com.name.product format | | -| **domain_controller_address** | **ntdomains.domain_controller_address** - The IP Address of the discovered domain controller.. | keyword, text.text | -| **domain_controller_name** | **ntdomains.domain_controller_name** - The name of the discovered domain controller. | keyword, text.text | -| **domain_name** | **ntdomains.domain_name** - The name of the domain. | keyword, text.text | -| **drive_letter** | **bitlocker_info.drive_letter** - Drive letter of the encrypted drive. | keyword, text.text | -| | **ntfs_journal_events.drive_letter** - The drive letter identifying the source journal | | -| **drive_name** | **md_drives.drive_name** - Drive device name | keyword, text.text | -| **driver** | **docker_container_mounts.driver** - Driver providing the mount | keyword, text.text | -| | **docker_networks.driver** - Network driver | | -| | **docker_volumes.driver** - Volume driver | | -| | **hardware_events.driver** - Driver claiming the device | | -| | **lxd_storage_pools.driver** - Storage driver | | -| | **pci_devices.driver** - PCI Device used driver | | -| | **video_info.driver** - The driver of the device. | | -| **driver_date** | **video_info.driver_date** - The date listed on the installed driver. | keyword, number.long | -| **driver_key** | **drivers.driver_key** - Driver key | keyword, text.text | -| **driver_type** | **smart_drive_info.driver_type** - The explicit device type used to retrieve the SMART information | keyword, text.text | -| **driver_version** | **video_info.driver_version** - The version of the installed driver. | keyword, text.text | -| **dst_ip** | **iptables.dst_ip** - Destination IP address. | keyword, text.text | -| **dst_mask** | **iptables.dst_mask** - Destination IP address mask. | keyword, text.text | -| **dst_port** | **iptables.dst_port** - Protocol destination port(s). | keyword, text.text | -| **dtime** | **shared_memory.dtime** - Detached time | keyword, number.long | -| **dump_certificate** | **curl_certificate.dump_certificate** - Set this value to '1' to dump certificate | keyword, number.long | -| **duration** | **bpf_process_events.duration** - How much time was spent inside the syscall (nsecs) | keyword, number.long | -| | **bpf_socket_events.duration** - How much time was spent inside the syscall (nsecs) | | -| **eapi** | **portage_packages.eapi** - The eapi for the ebuild | keyword, number.long | -| **egid** | **docker_container_processes.egid** - Effective group ID | keyword | -| | **es_process_events.egid** - Effective Group ID of the process | | -| | **process_events.egid** - Effective group ID at process start | | -| | **process_file_events.egid** - Effective group ID of the process using the file | | -| | **processes.egid** - Unsigned effective group ID | | -| **eid** | **apparmor_events.eid** - Event ID | keyword, text.text | -| | **bpf_process_events.eid** - Event ID | | -| | **bpf_socket_events.eid** - Event ID | | -| | **disk_events.eid** - Event ID | | -| | **es_process_events.eid** - Event ID | | -| | **file_events.eid** - Event ID | | -| | **hardware_events.eid** - Event ID | | -| | **ntfs_journal_events.eid** - Event ID | | -| | **process_events.eid** - Event ID | | -| | **process_file_events.eid** - Event ID | | -| | **selinux_events.eid** - Event ID | | -| | **socket_events.eid** - Event ID | | -| | **syslog_events.eid** - Event ID | | -| | **user_events.eid** - Event ID | | -| | **windows_events.eid** - Event ID | | -| | **yara_events.eid** - Event ID | | -| **ejectable** | **disk_events.ejectable** - 1 if ejectable, 0 if not | keyword, number.long | -| **elapsed_time** | **processes.elapsed_time** - Elapsed time in seconds this process has been running. | keyword, number.long | -| **element** | **apps.element** - Does the app identify as a background agent | keyword, text.text | -| **elevated_token** | **processes.elevated_token** - Process uses elevated token yes=1, no=0 | keyword, number.long | -| **enable_ipv6** | **docker_networks.enable_ipv6** - 1 if IPv6 is enabled on this network. 0 otherwise | keyword, number.long | -| **enabled** | **app_schemes.enabled** - 1 if this handler is the OS default, else 0 | keyword | -| | **event_taps.enabled** - Is the Event Tap enabled | | -| | **interface_details.enabled** - Indicates whether the adapter is enabled or not. | | -| | **location_services.enabled** - 1 if Location Services are enabled, else 0 | | -| | **lxd_cluster.enabled** - Whether clustering enabled (1) or not (0) on this node | | -| | **sandboxes.enabled** - Application sandboxings enabled on container | | -| | **scheduled_tasks.enabled** - Whether or not the scheduled task is enabled | | -| | **screenlock.enabled** - 1 If a password is required after sleep or the screensaver begins; else 0 | | -| | **sip_config.enabled** - 1 if this configuration is enabled, otherwise 0 | | -| | **tpm_info.enabled** - TPM is enabled | | -| | **windows_firewall_rules.enabled** - 1 if the rule is enabled | | -| | **yum_sources.enabled** - Whether the repository is used | | -| **enabled_nvram** | **sip_config.enabled_nvram** - 1 if this configuration is enabled, otherwise 0 | keyword, number.long | -| **encrypted** | **disk_encryption.encrypted** - 1 If encrypted: true (disk is encrypted), else 0 | keyword, number.long | -| | **user_ssh_keys.encrypted** - 1 if key is encrypted, 0 otherwise | | -| **encryption** | **time_machine_destinations.encryption** - Last known encrypted state | keyword, text.text | -| **encryption_method** | **bitlocker_info.encryption_method** - The encryption type of the device. | keyword, text.text | -| **encryption_status** | **disk_encryption.encryption_status** - Disk encryption status with one of following values: encrypted | not encrypted | undefined | keyword, text.text | -| **end** | **memory_map.end** - End address of memory region | keyword, text.text | -| | **process_memory_map.end** - Virtual end address (hex) | | -| **ending_address** | **memory_array_mapped_addresses.ending_address** - Physical ending address of last kilobyte of a range of memory mapped to physical memory array | keyword, text.text | -| | **memory_device_mapped_addresses.ending_address** - Physical ending address of last kilobyte of a range of memory mapped to physical memory array | | -| **endpoint_id** | **docker_container_networks.endpoint_id** - Endpoint ID | keyword, text.text | -| **entry** | **authorization_mechanisms.entry** - The whole string entry | keyword, text.text | -| | **elf_info.entry** - Entry point address | | -| | **shimcache.entry** - Execution order. | | -| **env** | **es_process_events.env** - Environment variables delimited by spaces | keyword, text.text | -| | **process_events.env** - Environment variables delimited by spaces | | -| **env_count** | **es_process_events.env_count** - Number of environment variables | keyword, number.long | -| | **process_events.env_count** - Number of environment variables | | -| **env_size** | **process_events.env_size** - Actual size (bytes) of environment list | keyword, number.long | -| **env_variables** | **docker_containers.env_variables** - Container environmental variables | keyword, text.text | -| **environment** | **apps.environment** - Application-set environment variables | keyword, text.text | -| **ephemeral** | **lxd_instances.ephemeral** - Whether the instance is ephemeral(1) or not(0) | keyword, number.long | -| **epoch** | **rpm_packages.epoch** - Package epoch value | keyword, number.long | -| **error** | **apparmor_events.error** - Error information | keyword, text.text | -| **error_granularity** | **memory_error_info.error_granularity** - Granularity to which the error can be resolved | keyword, text.text | -| **error_operation** | **memory_error_info.error_operation** - Memory access operation that caused the error | keyword, text.text | -| **error_resolution** | **memory_error_info.error_resolution** - Range, in bytes, within which this error can be determined, when an error address is given | keyword, text.text | -| **error_type** | **memory_error_info.error_type** - type of error associated with current error status for array or device | keyword, text.text | -| **euid** | **docker_container_processes.euid** - Effective user ID | keyword | -| | **es_process_events.euid** - Effective User ID of the process | | -| | **process_events.euid** - Effective user ID at process start | | -| | **process_file_events.euid** - Effective user ID of the process using the file | | -| | **processes.euid** - Unsigned effective user ID | | -| **event** | **crontab.event** - The job @event name (rare) | keyword, text.text | -| **event_queue** | **carbon_black_info.event_queue** - Size in bytes of Carbon Black event files on disk | keyword, number.long | -| **event_tap_id** | **event_taps.event_tap_id** - Unique ID for the Tap | keyword, number.long | -| **event_tapped** | **event_taps.event_tapped** - The mask that identifies the set of events to be observed. | keyword, text.text | -| **event_type** | **es_process_events.event_type** - Type of EndpointSecurity event | keyword, text.text | -| **eventid** | **windows_eventlog.eventid** - Event ID of the event | keyword, number.long | -| | **windows_events.eventid** - Event ID of the event | | -| **events** | **osquery_events.events** - Number of events emitted or received since osquery started | keyword, number.long | -| **exception_address** | **windows_crashes.exception_address** - Address (in hex) where the exception occurred | keyword, text.text | -| **exception_code** | **windows_crashes.exception_code** - The Windows exception code | keyword, text.text | -| **exception_codes** | **crashes.exception_codes** - Exception codes from the crash | keyword, text.text | -| **exception_message** | **windows_crashes.exception_message** - The NTSTATUS error message associated with the exception code | keyword, text.text | -| **exception_notes** | **crashes.exception_notes** - Exception notes from the crash | keyword, text.text | -| **exception_type** | **crashes.exception_type** - Exception type of the crash | keyword, text.text | -| **exe** | **seccomp_events.exe** - The path to the executable that was used to invoke the analyzed process | keyword, text.text | -| **executable** | **appcompat_shims.executable** - Name of the executable that is being shimmed. This is pulled from the registry. | keyword, text.text | -| | **process_file_events.executable** - The executable path | | -| **executable_path** | **wmi_cli_event_consumers.executable_path** - Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed. | keyword, text.text | -| **execution_flag** | **shimcache.execution_flag** - Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher). | keyword, number.long | -| **executions** | **osquery_schedule.executions** - Number of times the query was executed | keyword, number.long | -| **exit_code** | **bpf_process_events.exit_code** - Exit code of the system call | keyword, text.text | -| | **bpf_socket_events.exit_code** - Exit code of the system call | | -| | **es_process_events.exit_code** - Exit code of a process in case of an exit event | | -| **expand** | **default_environment.expand** - 1 if the variable needs expanding, 0 otherwise | keyword, number.long | -| **expire** | **shadow.expire** - Number of days since UNIX epoch date until account is disabled | keyword, number.long | -| **expires_at** | **lxd_images.expires_at** - ISO time of image expiration | keyword, text.text | -| **extended_key_usage** | **curl_certificate.extended_key_usage** - Extended usage of key in certificate | keyword, text.text | -| **extensions** | **osquery_info.extensions** - osquery extensions status | keyword, text.text | -| **external** | **app_schemes.external** - 1 if this handler does NOT exist on OS X by default, else 0 | keyword, number.long | -| **extra** | **asl.extra** - Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h. | keyword, text.text | -| | **platform_info.extra** - Platform-specific additional information | | -| **facility** | **asl.facility** - Sender's facility. Default is 'user'. | keyword, text.text | -| | **syslog_events.facility** - Syslog facility | | -| **fahrenheit** | **temperature_sensors.fahrenheit** - Temperature in Fahrenheit | keyword, number.double | -| **failed_disks** | **md_devices.failed_disks** - Number of failed disks in array | keyword, number.long | -| **failed_login_count** | **account_policy_data.failed_login_count** - The number of failed login attempts using an incorrect password. Count resets after a correct password is entered. | keyword, number.long | -| **failed_login_timestamp** | **account_policy_data.failed_login_timestamp** - The time of the last failed login attempt. Resets after a correct password is entered | keyword, number.double | -| **family** | **bpf_socket_events.family** - The Internet protocol family ID | keyword, number.long | -| | **listening_ports.family** - Network protocol (IPv4, IPv6) | | -| | **process_open_sockets.family** - Network protocol (IPv4, IPv6) | | -| | **socket_events.family** - The Internet protocol family ID | | -| **fan** | **fan_speed_sensors.fan** - Fan number | keyword, text.text | -| **faults** | **virtual_memory_info.faults** - Total number of calls to vm_faults. | keyword, number.long | -| **fd** | **bpf_socket_events.fd** - The file description for the process socket | keyword, text.text | -| | **listening_ports.fd** - Socket file descriptor number | | -| | **process_open_files.fd** - Process-specific file descriptor number | | -| | **process_open_pipes.fd** - File descriptor | | -| | **process_open_sockets.fd** - Socket file descriptor number | | -| | **socket_events.fd** - The file description for the process socket | | -| **feature** | **cpuid.feature** - Present feature flags | keyword, text.text | -| **feature_control** | **msr.feature_control** - Bitfield controlling enabled features. | keyword, number.long | -| **field_name** | **system_controls.field_name** - Specific attribute of opaque type | keyword, text.text | -| **file_attributes** | **ntfs_journal_events.file_attributes** - File attributes | keyword, text.text | -| **file_backed** | **virtual_memory_info.file_backed** - Total number of file backed pages. | keyword, number.long | -| **file_id** | **file.file_id** - file ID | keyword, text.text | -| **file_sharing** | **sharing_preferences.file_sharing** - 1 If file sharing is enabled else 0 | keyword, number.long | -| **file_system** | **logical_drives.file_system** - The file system of the drive. | keyword, text.text | -| **file_version** | **file.file_version** - File version | keyword, text.text | -| **filename** | **device_file.filename** - Name portion of file path | keyword, text.text | -| | **file.filename** - Name portion of file path | | -| | **lxd_images.filename** - Filename of the image file | | -| | **prefetch.filename** - Executable filename. | | -| | **xprotect_entries.filename** - Use this file name to match | | -| **filepath** | **package_bom.filepath** - Package file or directory | keyword, text.text | -| **filesystem** | **disk_events.filesystem** - Filesystem if available | keyword, text.text | -| **filetype** | **xprotect_entries.filetype** - Use this file type to match | keyword, text.text | -| **filevault_status** | **disk_encryption.filevault_status** - FileVault status with one of following values: on | off | unknown | keyword, text.text | -| **filter** | **wmi_filter_consumer_binding.filter** - Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received. | keyword, text.text | -| **filter_name** | **iptables.filter_name** - Packet matching filter table name. | keyword, text.text | -| **fingerprint** | **lxd_certificates.fingerprint** - SHA256 hash of the certificate | keyword, text.text | -| **finished_at** | **docker_containers.finished_at** - Container finish time as string | keyword, text.text | -| **firewall** | **windows_security_center.firewall** - The health of the monitored Firewall (see windows_security_products) | keyword, text.text | -| **firewall_unload** | **alf.firewall_unload** - 1 If firewall unloading enabled else 0 | keyword, number.long | -| **firmware_version** | **ibridge_info.firmware_version** - The build version of the firmware | keyword, text.text | -| | **smart_drive_info.firmware_version** - Drive firmware version | | -| **fix_comments** | **patches.fix_comments** - Additional comments about the patch. | keyword, text.text | -| **flag** | **shadow.flag** - Reserved | keyword, number.long | -| **flags** | **device_partitions.flags** - | keyword | -| | **dns_cache.flags** - DNS record flags | | -| | **elf_info.flags** - ELF header flags | | -| | **elf_sections.flags** - Section attributes | | -| | **elf_segments.flags** - Segment attributes | | -| | **interface_details.flags** - Flags (netdevice) for the device | | -| | **mounts.flags** - Mounted device flags | | -| | **pipes.flags** - The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes | | -| | **routes.flags** - Flags to describe route | | -| **flatsize** | **pkg_packages.flatsize** - Package size in bytes | keyword, number.long | -| **folder_id** | **ycloud_instance_metadata.folder_id** - Folder identifier for the VM | keyword, text.text | -| **following** | **systemd_units.following** - The name of another unit that this unit follows in state | keyword, text.text | -| **forced** | **preferences.forced** - 1 if the value is forced/managed, else 0 | keyword, number.long | -| **form_factor** | **memory_devices.form_factor** - Implementation form factor for this memory device | keyword, text.text | -| | **smart_drive_info.form_factor** - Form factor if reported | | -| **format** | **cups_jobs.format** - The format of the print job | keyword, text.text | -| **forwarding_enabled** | **interface_ipv6.forwarding_enabled** - Enable IP forwarding | keyword, number.long | -| **fragment_path** | **systemd_units.fragment_path** - The unit file path this unit was read from, if there is any | keyword, text.text | -| **frame_backtrace** | **kernel_panics.frame_backtrace** - Backtrace of the crashed module | keyword, text.text | -| **free** | **virtual_memory_info.free** - Total number of free pages. | keyword, number.long | -| **free_space** | **logical_drives.free_space** - The amount of free space, in bytes, of the drive (-1 on failure). | keyword, number.long | -| **friendly_name** | **interface_addresses.friendly_name** - The friendly display name of the interface. | keyword, text.text | -| | **interface_details.friendly_name** - The friendly display name of the interface. | | -| **from_webstore** | **chrome_extensions.from_webstore** - True if this extension was installed from the web store | keyword, text.text | -| **fs_id** | **quicklook_cache.fs_id** - Quicklook file fs_id key | keyword, text.text | -| **fsgid** | **process_events.fsgid** - Filesystem group ID at process start | keyword | -| | **process_file_events.fsgid** - Filesystem group ID of the process using the file | | -| **fsuid** | **apparmor_events.fsuid** - Filesystem user ID | keyword | -| | **process_events.fsuid** - Filesystem user ID at process start | | -| | **process_file_events.fsuid** - Filesystem user ID of the process using the file | | -| **gateway** | **docker_container_networks.gateway** - Gateway | keyword, text.text | -| | **docker_networks.gateway** - Network gateway | | -| | **routes.gateway** - Route gateway | | -| **gid** | **asl.gid** - GID that sent the log message (set by the server). | keyword | -| | **bpf_process_events.gid** - Group ID | | -| | **bpf_socket_events.gid** - Group ID | | -| | **device_file.gid** - Owning group ID | | -| | **docker_container_processes.gid** - Group ID | | -| | **es_process_events.gid** - Group ID of the process | | -| | **file.gid** - Owning group ID | | -| | **file_events.gid** - Owning group ID | | -| | **groups.gid** - Unsigned int64 group ID | | -| | **package_bom.gid** - Expected group of file or directory | | -| | **process_events.gid** - Group ID at process start | | -| | **process_file_events.gid** - The gid of the process performing the action | | -| | **processes.gid** - Unsigned group ID | | -| | **seccomp_events.gid** - Group ID of the user who started the analyzed process | | -| | **user_groups.gid** - Group ID | | -| | **users.gid** - Group ID (unsigned) | | -| **gid_signed** | **groups.gid_signed** - A signed int64 version of gid | keyword, number.long | -| | **users.gid_signed** - Default group ID as int64 signed (Apple) | | -| **git_commit** | **docker_version.git_commit** - Docker build git commit | keyword, text.text | -| **global_seq_num** | **es_process_events.global_seq_num** - Global sequence number | keyword, number.long | -| **global_state** | **alf.global_state** - 1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0 | keyword, number.long | -| **go_version** | **docker_version.go_version** - Go version | keyword, text.text | -| **gpgcheck** | **yum_sources.gpgcheck** - Whether packages are GPG checked | keyword, text.text | -| **gpgkey** | **yum_sources.gpgkey** - URL to GPG key | keyword, text.text | -| **grace_period** | **screenlock.grace_period** - The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake | keyword, number.long | -| **group_sid** | **groups.group_sid** - Unique group ID | keyword, text.text | -| **grouping** | **windows_firewall_rules.grouping** - Group to which an individual rule belongs | keyword, text.text | -| **groupname** | **groups.groupname** - Canonical local group name | keyword, text.text | -| | **launchd.groupname** - Run this daemon or agent as this group | | -| | **rpm_package_files.groupname** - File default groupname from info DB | | -| | **suid_bin.groupname** - Binary owner group | | -| **guest** | **cpu_time.guest** - Time spent running a virtual CPU for a guest OS under the control of the Linux kernel | keyword, number.long | -| **guest_nice** | **cpu_time.guest_nice** - Time spent running a niced guest | keyword, number.long | -| **handle** | **memory_array_mapped_addresses.handle** - Handle, or instance number, associated with the structure | keyword, text.text | -| | **memory_arrays.handle** - Handle, or instance number, associated with the array | | -| | **memory_device_mapped_addresses.handle** - Handle, or instance number, associated with the structure | | -| | **memory_devices.handle** - Handle, or instance number, associated with the structure in SMBIOS | | -| | **memory_error_info.handle** - Handle, or instance number, associated with the structure | | -| | **oem_strings.handle** - Handle, or instance number, associated with the Type 11 structure | | -| | **smbios_tables.handle** - Table entry handle | | -| **handle_count** | **processes.handle_count** - Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process. | keyword, number.long | -| **handler** | **app_schemes.handler** - Application label for the handler | keyword, text.text | -| **hard_limit** | **ulimit_info.hard_limit** - Maximum limit value | keyword, text.text | -| **hard_links** | **device_file.hard_links** - Number of hard links | keyword, number.long | -| | **file.hard_links** - Number of hard links | | -| **hardware_model** | **disk_info.hardware_model** - Hard drive model. | keyword, text.text | -| | **system_info.hardware_model** - Hardware model | | -| **hardware_serial** | **system_info.hardware_serial** - Device serial number | keyword, text.text | -| **hardware_vendor** | **system_info.hardware_vendor** - Hardware vendor | keyword, text.text | -| **hardware_version** | **system_info.hardware_version** - Hardware version | keyword, text.text | -| **has_expired** | **curl_certificate.has_expired** - 1 if the certificate has expired, 0 otherwise | keyword, number.long | -| **hash** | **prefetch.hash** - Prefetch CRC hash. | keyword, text.text | -| **hash_alg** | **shadow.hash_alg** - Password hashing algorithm | keyword, text.text | -| **hash_resources** | **signature.hash_resources** - Set to 1 to also hash resources, or 0 otherwise. Default is 1 | keyword, number.long | -| **hashed** | **file_events.hashed** - 1 if the file was hashed, 0 if not, -1 if hashing failed | keyword, number.long | -| **header** | **sudoers.header** - Symbol for given rule | keyword, text.text | -| **header_size** | **smbios_tables.header_size** - Header size in bytes | keyword, number.long | -| **health** | **battery.health** - One of the following: "Good" describes a well-performing battery, "Fair" describes a functional battery with limited capacity, or "Poor" describes a battery that's not capable of providing power | keyword, text.text | -| **hidden** | **scheduled_tasks.hidden** - Whether or not the task is visible in the UI | keyword, number.long | -| | **smc_keys.hidden** - 1 if this key is normally hidden, otherwise 0 | | -| **history_file** | **shell_history.history_file** - Path to the .*_history for this user | keyword, text.text | -| **hit_count** | **quicklook_cache.hit_count** - Number of cache hits on thumbnail | keyword, text.text | -| **home_directory** | **logon_sessions.home_directory** - The home directory for the logon session. | keyword, text.text | -| **home_directory_drive** | **logon_sessions.home_directory_drive** - The drive location of the home directory of the logon session. | keyword, text.text | -| **homepage** | **atom_packages.homepage** - Package supplied homepage | keyword, text.text | -| **hop_limit** | **interface_ipv6.hop_limit** - Current Hop Limit | keyword, number.long | -| **hopcount** | **routes.hopcount** - Max hops expected | keyword, number.long | -| **host** | **asl.host** - Sender's address (set by the server). | keyword, text.text | -| | **last.host** - Entry hostname | | -| | **logged_in_users.host** - Remote hostname | | -| | **preferences.host** - 'current' or 'any' host, where 'current' takes precedence | | -| | **syslog_events.host** - Hostname configured for syslog | | -| **host_ip** | **docker_container_ports.host_ip** - Host IP address on which public port is listening | keyword, text.text | -| **host_port** | **docker_container_ports.host_port** - Host port | keyword, number.long | -| **hostname** | **curl_certificate.hostname** - Hostname (domain[:port]) to CURL | keyword, text.text | -| | **shortcut_files.hostname** - Optional hostname of the target file. | | -| | **system_info.hostname** - Network hostname including domain | | -| | **ycloud_instance_metadata.hostname** - Hostname of the VM | | -| **hostnames** | **etc_hosts.hostnames** - Raw hosts mapping | keyword, text.text | -| **hotfix_id** | **patches.hotfix_id** - The KB ID of the patch. | keyword, text.text | -| **hour** | **crontab.hour** - The hour of the day for the job | keyword, text.text | -| | **time.hour** - Current hour in UTC | | -| **hours** | **uptime.hours** - Hours of uptime | keyword, number.long | -| **http_proxy** | **docker_info.http_proxy** - HTTP proxy | keyword, text.text | -| **https_proxy** | **docker_info.https_proxy** - HTTPS proxy | keyword, text.text | -| **hwaddr** | **lxd_networks.hwaddr** - Hardware address for this network | keyword, text.text | -| **iam_arn** | **ec2_instance_metadata.iam_arn** - If there is an IAM role associated with the instance, contains instance profile ARN | keyword, text.text | -| **ibrs_support_enabled** | **kva_speculative_info.ibrs_support_enabled** - Windows uses IBRS. | keyword, number.long | -| **ibytes** | **interface_details.ibytes** - Input bytes | keyword, number.long | -| **icmp_types_codes** | **windows_firewall_rules.icmp_types_codes** - ICMP types and codes for the rule | keyword, text.text | -| **icon_mode** | **quicklook_cache.icon_mode** - Thumbnail icon mode | keyword, number.long | -| **icon_path** | **shortcut_files.icon_path** - Lnk file icon location. | keyword, text.text | -| **id** | **disk_info.id** - The unique identifier of the drive on the system. | keyword, text.text | -| | **dns_resolvers.id** - Address type index or order | | -| | **docker_container_envs.id** - Container ID | | -| | **docker_container_fs_changes.id** - Container ID | | -| | **docker_container_labels.id** - Container ID | | -| | **docker_container_mounts.id** - Container ID | | -| | **docker_container_networks.id** - Container ID | | -| | **docker_container_ports.id** - Container ID | | -| | **docker_container_processes.id** - Container ID | | -| | **docker_container_stats.id** - Container ID | | -| | **docker_containers.id** - Container ID | | -| | **docker_image_history.id** - Image ID | | -| | **docker_image_labels.id** - Image ID | | -| | **docker_image_layers.id** - Image ID | | -| | **docker_images.id** - Image ID | | -| | **docker_info.id** - Docker system ID | | -| | **docker_network_labels.id** - Network ID | | -| | **docker_networks.id** - Network ID | | -| | **example.id** - An index of some sort | | -| | **iokit_devicetree.id** - IOKit internal registry ID | | -| | **iokit_registry.id** - IOKit internal registry ID | | -| | **lxd_images.id** - Image ID | | -| | **systemd_units.id** - Unique unit identifier | | -| **identifier** | **browser_plugins.identifier** - Plugin identifier | keyword, text.text | -| | **chrome_extension_content_scripts.identifier** - Extension identifier | | -| | **chrome_extensions.identifier** - Extension identifier, computed from its manifest. Empty in case of error. | | -| | **crashes.identifier** - Identifier of the crashed process | | -| | **firefox_addons.identifier** - Addon identifier | | -| | **safari_extensions.identifier** - Extension identifier | | -| | **signature.identifier** - The signing identifier sealed into the signature | | -| | **system_extensions.identifier** - Identifier name | | -| | **xprotect_meta.identifier** - Browser plugin or extension identifier | | -| **identifying_number** | **programs.identifying_number** - Product identification such as a serial number on software, or a die number on a hardware chip. | keyword, text.text | -| **identity** | **xprotect_entries.identity** - XProtect identity (SHA1) of content | keyword, text.text | -| **idle** | **cpu_time.idle** - Time spent in the idle task | keyword, number.long | -| **idrops** | **interface_details.idrops** - Input drops | keyword, number.long | -| **idx** | **kernel_extensions.idx** - Extension load tag or index | keyword, number.long | -| **ierrors** | **interface_details.ierrors** - Input errors | keyword, number.long | -| **image** | **docker_containers.image** - Docker image (name) used to launch this container | keyword, text.text | -| | **drivers.image** - Path to driver image file | | -| **image_id** | **docker_containers.image_id** - Docker image ID | keyword, text.text | -| **images** | **docker_info.images** - Number of images | keyword, number.long | -| **in_smartctl_db** | **smart_drive_info.in_smartctl_db** - Boolean value for if drive is recognized | keyword, number.long | -| **inactive** | **memory_info.inactive** - The total amount of buffer or page cache memory, in bytes, that are free and available | keyword, number.long | -| | **shadow.inactive** - Number of days after password expires until account is blocked | | -| | **virtual_memory_info.inactive** - Total number of inactive pages. | | -| **inetd_compatibility** | **launchd.inetd_compatibility** - Run this daemon or agent as it was launched from inetd | keyword, text.text | -| **inf** | **drivers.inf** - Associated inf file | keyword, text.text | -| **info** | **apparmor_events.info** - Additional information | keyword, text.text | -| **info_access** | **curl_certificate.info_access** - Authority Information Access | keyword, text.text | -| **info_string** | **apps.info_string** - Info properties CFBundleGetInfoString label | keyword, text.text | -| **inherited_from** | **ntfs_acl_permissions.inherited_from** - The inheritance policy of the ACE. | keyword, text.text | -| **iniface** | **iptables.iniface** - Input interface for the rule. | keyword, text.text | -| **iniface_mask** | **iptables.iniface_mask** - Input interface mask for the rule. | keyword, text.text | -| **inode** | **device_file.inode** - Filesystem inode number | keyword, number.long | -| | **device_hash.inode** - Filesystem inode number | | -| | **file.inode** - Filesystem inode number | | -| | **file_events.inode** - Filesystem inode number | | -| | **process_memory_map.inode** - Mapped path inode, 0 means uninitialized (BSS) | | -| | **process_open_pipes.inode** - Pipe inode number | | -| | **quicklook_cache.inode** - Parsed file ID (inode) from fs_id | | -| **inodes** | **device_partitions.inodes** - Number of meta nodes | keyword, number.long | -| | **mounts.inodes** - Mounted device used inodes | | -| **inodes_free** | **mounts.inodes_free** - Mounted device free inodes | keyword, number.long | -| **inodes_total** | **lxd_storage_pools.inodes_total** - Total number of inodes available in this storage pool | keyword, number.long | -| **inodes_used** | **lxd_storage_pools.inodes_used** - Number of inodes used | keyword, number.long | -| **input_eax** | **cpuid.input_eax** - Value of EAX used | keyword, text.text | -| **install_date** | **os_version.install_date** - The install date of the OS. | keyword | -| | **patches.install_date** - Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed. | | -| | **programs.install_date** - Date that this product was installed on the system. | | -| | **shared_resources.install_date** - Indicates when the object was installed. Lack of a value does not indicate that the object is not installed. | | -| **install_location** | **programs.install_location** - The installation location directory of the product. | keyword, text.text | -| **install_source** | **programs.install_source** - The installation source of the product. | keyword, text.text | -| **install_time** | **appcompat_shims.install_time** - Install time of the SDB | keyword | -| | **chrome_extensions.install_time** - Extension install time, in its original Webkit format | | -| | **package_receipts.install_time** - Timestamp of install time | | -| | **rpm_packages.install_time** - When the package was installed | | -| **install_timestamp** | **chrome_extensions.install_timestamp** - Extension install time, converted to unix time | keyword, number.long | -| **installed_by** | **patches.installed_by** - The system context in which the patch as installed. | keyword, text.text | -| **installed_on** | **patches.installed_on** - The date when the patch was installed. | keyword, text.text | -| **installer_name** | **package_receipts.installer_name** - Name of installer process | keyword, text.text | -| **instance_id** | **ec2_instance_metadata.instance_id** - EC2 instance ID | keyword, text.text | -| | **ec2_instance_tags.instance_id** - EC2 instance ID | | -| | **osquery_info.instance_id** - Unique, long-lived ID per instance of osquery | | -| | **ycloud_instance_metadata.instance_id** - Unique identifier for the VM | | -| **instance_identifier** | **hvci_status.instance_identifier** - The instance ID of Device Guard. | keyword, text.text | -| **instance_type** | **ec2_instance_metadata.instance_type** - EC2 instance type | keyword, text.text | -| **instances** | **pipes.instances** - Number of instances of the named pipe | keyword, number.long | -| **interface** | **arp_cache.interface** - Interface of the network for the MAC | keyword, text.text | -| | **interface_addresses.interface** - Interface name | | -| | **interface_details.interface** - Interface name | | -| | **interface_ipv6.interface** - Interface name | | -| | **lldp_neighbors.interface** - Interface name | | -| | **routes.interface** - Route local interface | | -| | **wifi_status.interface** - Name of the interface | | -| | **wifi_survey.interface** - Name of the interface | | -| **interleave_data_depth** | **memory_device_mapped_addresses.interleave_data_depth** - The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave | keyword, number.long | -| **interleave_position** | **memory_device_mapped_addresses.interleave_position** - The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc. | keyword, number.long | -| **internal** | **osquery_registry.internal** - 1 If the plugin is internal else 0 | keyword, number.long | -| **internet_settings** | **windows_security_center.internet_settings** - The health of the Internet Settings | keyword, text.text | -| **internet_sharing** | **sharing_preferences.internet_sharing** - 1 If internet sharing is enabled else 0 | keyword, number.long | -| **interval** | **docker_container_stats.interval** - Difference between read and preread in nano-seconds | keyword, number.long | -| | **osquery_schedule.interval** - The interval in seconds to run this query, not an exact interval | | -| **iowait** | **cpu_time.iowait** - Time spent waiting for I/O to complete | keyword, number.long | -| **ip** | **seccomp_events.ip** - Instruction pointer value | keyword, text.text | -| **ip_address** | **docker_container_networks.ip_address** - IP address | keyword, text.text | -| **ip_prefix_len** | **docker_container_networks.ip_prefix_len** - IP subnet prefix length | keyword, number.long | -| **ipackets** | **interface_details.ipackets** - Input packets | keyword, number.long | -| **ipc_namespace** | **docker_containers.ipc_namespace** - IPC namespace | keyword, text.text | -| | **process_namespaces.ipc_namespace** - ipc namespace inode | | -| **ipv4_address** | **lxd_networks.ipv4_address** - IPv4 address | keyword, text.text | -| **ipv4_forwarding** | **docker_info.ipv4_forwarding** - 1 if IPv4 forwarding is enabled. 0 otherwise | keyword, number.long | -| **ipv4_internet** | **connectivity.ipv4_internet** - True if any interface is connected to the Internet via IPv4 | keyword, number.long | -| **ipv4_local_network** | **connectivity.ipv4_local_network** - True if any interface is connected to a routed network via IPv4 | keyword, number.long | -| **ipv4_no_traffic** | **connectivity.ipv4_no_traffic** - True if any interface is connected via IPv4, but has seen no traffic | keyword, number.long | -| **ipv4_subnet** | **connectivity.ipv4_subnet** - True if any interface is connected to the local subnet via IPv4 | keyword, number.long | -| **ipv6_address** | **docker_container_networks.ipv6_address** - IPv6 address | keyword, text.text | -| | **lxd_networks.ipv6_address** - IPv6 address | | -| **ipv6_gateway** | **docker_container_networks.ipv6_gateway** - IPv6 gateway | keyword, text.text | -| **ipv6_internet** | **connectivity.ipv6_internet** - True if any interface is connected to the Internet via IPv6 | keyword, number.long | -| **ipv6_local_network** | **connectivity.ipv6_local_network** - True if any interface is connected to a routed network via IPv6 | keyword, number.long | -| **ipv6_no_traffic** | **connectivity.ipv6_no_traffic** - True if any interface is connected via IPv6, but has seen no traffic | keyword, number.long | -| **ipv6_prefix_len** | **docker_container_networks.ipv6_prefix_len** - IPv6 subnet prefix length | keyword, number.long | -| **ipv6_subnet** | **connectivity.ipv6_subnet** - True if any interface is connected to the local subnet via IPv6 | keyword, number.long | -| **irq** | **cpu_time.irq** - Time spent servicing interrupts | keyword, number.long | -| **is_active** | **running_apps.is_active** - 1 if the application is in focus, 0 otherwise | keyword, number.long | -| **is_hidden** | **groups.is_hidden** - IsHidden attribute set in OpenDirectory | keyword, number.long | -| | **users.is_hidden** - IsHidden attribute set in OpenDirectory | | -| **iso_8601** | **time.iso_8601** - Current time (ISO format) in UTC | keyword, text.text | -| **issuer** | **certificates.issuer** - Certificate issuer distinguished name | keyword, text.text | -| **issuer_alternative_names** | **curl_certificate.issuer_alternative_names** - Issuer Alternative Name | keyword, text.text | -| **issuer_common_name** | **curl_certificate.issuer_common_name** - Issuer common name | keyword, text.text | -| **issuer_name** | **authenticode.issuer_name** - The certificate issuer name | keyword, text.text | -| **issuer_organization** | **curl_certificate.issuer_organization** - Issuer organization | keyword, text.text | -| **issuer_organization_unit** | **curl_certificate.issuer_organization_unit** - Issuer organization unit | keyword, text.text | -| **job_id** | **systemd_units.job_id** - Next queued job id | keyword, number.long | -| **job_path** | **systemd_units.job_path** - The object path for the job | keyword, text.text | -| **job_type** | **systemd_units.job_type** - Job type | keyword, text.text | -| **json_cmdline** | **bpf_process_events.json_cmdline** - Command line arguments, in JSON format | keyword, text.text | -| **keep_alive** | **launchd.keep_alive** - Should the process be restarted if killed | keyword, text.text | -| **kernel_memory** | **docker_info.kernel_memory** - 1 if kernel memory limit support is enabled. 0 otherwise | keyword, number.long | -| **kernel_version** | **docker_info.kernel_version** - Kernel version | keyword, text.text | -| | **docker_version.kernel_version** - Kernel version | | -| | **kernel_panics.kernel_version** - Version of the system kernel | | -| **key** | **authorized_keys.key** - parsed authorized keys line | keyword, text.text | -| | **azure_instance_tags.key** - The tag key | | -| | **chrome_extensions.key** - The extension key, from the manifest file | | -| | **docker_container_envs.key** - Environment variable name | | -| | **docker_container_labels.key** - Label key | | -| | **docker_image_labels.key** - Label key | | -| | **docker_network_labels.key** - Label key | | -| | **docker_volume_labels.key** - Label key | | -| | **ec2_instance_tags.key** - Tag key | | -| | **extended_attributes.key** - Name of the value generated from the extended attribute | | -| | **known_hosts.key** - parsed authorized keys line | | -| | **launchd_overrides.key** - Name of the override key | | -| | **lxd_instance_config.key** - Configuration parameter name | | -| | **lxd_instance_devices.key** - Device info param name | | -| | **mdls.key** - Name of the metadata key | | -| | **plist.key** - Preference top-level key | | -| | **power_sensors.key** - The SMC key on OS X | | -| | **preferences.key** - Preference top-level key | | -| | **process_envs.key** - Environment variable name | | -| | **registry.key** - Name of the key to search for | | -| | **selinux_settings.key** - Key or class name. | | -| | **smc_keys.key** - 4-character key | | -| | **temperature_sensors.key** - The SMC key on OS X | | -| **key_algorithm** | **certificates.key_algorithm** - Key algorithm used | keyword, text.text | -| **key_file** | **authorized_keys.key_file** - Path to the authorized_keys file | keyword, text.text | -| | **known_hosts.key_file** - Path to known_hosts file | | -| **key_strength** | **certificates.key_strength** - Key size used for RSA/DSA, or curve name | keyword, text.text | -| **key_type** | **user_ssh_keys.key_type** - The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string. | keyword, text.text | -| **key_usage** | **certificates.key_usage** - Certificate key usage and extended key usage | keyword, text.text | -| | **curl_certificate.key_usage** - Usage of key in certificate | | -| **keychain_path** | **keychain_acls.keychain_path** - The path of the keychain | keyword, text.text | -| **keyword** | **portage_keywords.keyword** - The keyword applied to the package | keyword, text.text | -| **keywords** | **windows_eventlog.keywords** - A bitmask of the keywords defined in the event | keyword, text.text | -| | **windows_events.keywords** - A bitmask of the keywords defined in the event | | -| **kva_shadow_enabled** | **kva_speculative_info.kva_shadow_enabled** - Kernel Virtual Address shadowing is enabled. | keyword, number.long | -| **kva_shadow_inv_pcid** | **kva_speculative_info.kva_shadow_inv_pcid** - Kernel VA INVPCID is enabled. | keyword, number.long | -| **kva_shadow_pcid** | **kva_speculative_info.kva_shadow_pcid** - Kernel VA PCID flushing optimization is enabled. | keyword, number.long | -| **kva_shadow_user_global** | **kva_speculative_info.kva_shadow_user_global** - User pages are marked as global. | keyword, number.long | -| **label** | **apparmor_events.label** - AppArmor label | keyword, text.text | -| | **augeas.label** - The label of the configuration item | | -| | **authorization_mechanisms.label** - Label of the authorization right | | -| | **authorizations.label** - Item name, usually in reverse domain format | | -| | **block_devices.label** - Block device label string | | -| | **device_partitions.label** - | | -| | **keychain_acls.label** - An optional label tag that may be included with the keychain entry | | -| | **keychain_items.label** - Generic item name | | -| | **launchd.label** - Daemon or agent service name | | -| | **launchd_overrides.label** - Daemon or agent service name | | -| | **quicklook_cache.label** - Parsed version 'gen' field | | -| | **sandboxes.label** - UTI-format bundle or label ID | | -| **language** | **programs.language** - The language of the product. | keyword, text.text | -| **last_change** | **interface_details.last_change** - Time of last device modification (optional) | keyword, number.long | -| | **shadow.last_change** - Date of last password change (starting from UNIX epoch date) | | -| **last_connected** | **wifi_networks.last_connected** - Last time this netword was connected to as a unix_time | keyword, number.long | -| **last_executed** | **osquery_schedule.last_executed** - UNIX time stamp in seconds of the last completed execution | keyword, number.long | -| **last_execution_time** | **background_activities_moderator.last_execution_time** - Most recent time application was executed. | keyword, number.long | -| | **userassist.last_execution_time** - Most recent time application was executed. | | -| **last_hit_date** | **quicklook_cache.last_hit_date** - Apple date format for last thumbnail cache hit | keyword, number.long | -| **last_loaded** | **kernel_panics.last_loaded** - Last loaded module before panic | keyword, text.text | -| **last_memory** | **osquery_schedule.last_memory** - Resident memory in bytes left allocated after collecting results of the latest execution | keyword, number.long | -| **last_opened_time** | **apps.last_opened_time** - The time that the app was last used | keyword | -| | **office_mru.last_opened_time** - Most recent opened time file was opened | | -| **last_run_code** | **scheduled_tasks.last_run_code** - Exit status code of the last task run | keyword, text.text | -| **last_run_message** | **scheduled_tasks.last_run_message** - Exit status message of the last task run | keyword, text.text | -| **last_run_time** | **prefetch.last_run_time** - Most recent time application was run. | keyword, number.long | -| | **scheduled_tasks.last_run_time** - Timestamp the task last ran | | -| **last_system_time** | **osquery_schedule.last_system_time** - System time in milliseconds of the latest execution | keyword, number.long | -| **last_unloaded** | **kernel_panics.last_unloaded** - Last unloaded module before panic | keyword, text.text | -| **last_used_at** | **lxd_images.last_used_at** - ISO time for the most recent use of this image in terms of container spawn | keyword, text.text | -| **last_user_time** | **osquery_schedule.last_user_time** - User time in milliseconds of the latest execution | keyword, number.long | -| **last_wall_time_ms** | **osquery_schedule.last_wall_time_ms** - Wall time in milliseconds of the latest execution | keyword, number.long | -| **launch_type** | **xprotect_entries.launch_type** - Launch services content type | keyword, text.text | -| **layer_id** | **docker_image_layers.layer_id** - Layer ID | keyword, text.text | -| **layer_order** | **docker_image_layers.layer_order** - Layer Order (1 = base layer) | keyword, number.long | -| **level** | **asl.level** - Log level number. See levels in asl.h. | keyword, number.long | -| | **windows_eventlog.level** - Severity level associated with the event | | -| | **windows_events.level** - The severity level associated with the event | | -| **license** | **atom_packages.license** - License for package | keyword, text.text | -| | **chocolatey_packages.license** - License under which package is launched | | -| | **npm_packages.license** - License for package | | -| | **python_packages.license** - License under which package is launched | | -| **link** | **elf_sections.link** - Link to other section | keyword, text.text | -| **link_speed** | **interface_details.link_speed** - Interface speed in Mb/s | keyword, number.long | -| **linked_against** | **kernel_extensions.linked_against** - Indexes of extensions this extension is linked against | keyword, text.text | -| **load_state** | **systemd_units.load_state** - Reflects whether the unit definition was properly loaded | keyword, text.text | -| **local_address** | **bpf_socket_events.local_address** - Local address associated with socket | keyword, text.text | -| | **process_open_sockets.local_address** - Socket local address | | -| | **socket_events.local_address** - Local address associated with socket | | -| **local_addresses** | **windows_firewall_rules.local_addresses** - Local addresses for the rule | keyword, text.text | -| **local_hostname** | **ec2_instance_metadata.local_hostname** - Private IPv4 DNS hostname of the first interface of this instance | keyword, text.text | -| | **system_info.local_hostname** - Local hostname (optional) | | -| **local_ipv4** | **ec2_instance_metadata.local_ipv4** - Private IPv4 address of the first interface of this instance | keyword, text.text | -| **local_path** | **shortcut_files.local_path** - Local system path to target file. | keyword, text.text | -| **local_port** | **bpf_socket_events.local_port** - Local network protocol port number | keyword, number.long | -| | **process_open_sockets.local_port** - Socket local port | | -| | **socket_events.local_port** - Local network protocol port number | | -| **local_ports** | **windows_firewall_rules.local_ports** - Local ports for the rule | keyword, text.text | -| **local_timezone** | **time.local_timezone** - Current local timezone in of the system | keyword, text.text | -| **location** | **azure_instance_metadata.location** - Azure Region the VM is running in | keyword, text.text | -| | **firefox_addons.location** - Global, profile location | | -| | **memory_arrays.location** - Physical location of the memory array | | -| | **package_receipts.location** - Optional relative install path on volume | | -| **lock** | **chassis_info.lock** - If TRUE, the frame is equipped with a lock. | keyword, text.text | -| **lock_status** | **bitlocker_info.lock_status** - The accessibility status of the drive from Windows. | keyword, number.long | -| **locked** | **shared_memory.locked** - 1 if segment is locked else 0 | keyword, number.long | -| **log_file_disk_quota_mb** | **carbon_black_info.log_file_disk_quota_mb** - Event file disk quota in MB | keyword, number.long | -| **log_file_disk_quota_percentage** | **carbon_black_info.log_file_disk_quota_percentage** - Event file disk quota in a percentage | keyword, number.long | -| **logging_driver** | **docker_info.logging_driver** - Logging driver | keyword, text.text | -| **logging_enabled** | **alf.logging_enabled** - 1 If logging mode is enabled else 0 | keyword, number.long | -| **logging_option** | **alf.logging_option** - Firewall logging option | keyword, number.long | -| **logical_processors** | **cpu_info.logical_processors** - The number of logical processors of the CPU. | keyword, number.long | -| **logon_domain** | **logon_sessions.logon_domain** - The name of the domain used to authenticate the owner of the logon session. | keyword, text.text | -| **logon_id** | **logon_sessions.logon_id** - A locally unique identifier (LUID) that identifies a logon session. | keyword, number.long | -| **logon_script** | **logon_sessions.logon_script** - The script used for logging on. | keyword, text.text | -| **logon_server** | **logon_sessions.logon_server** - The name of the server used to authenticate the owner of the logon session. | keyword, text.text | -| **logon_sid** | **logon_sessions.logon_sid** - The user's security identifier (SID). | keyword, text.text | -| **logon_time** | **logon_sessions.logon_time** - The time the session owner logged on. | keyword, number.long | -| **logon_type** | **logon_sessions.logon_type** - The logon method. | keyword, text.text | -| **lu_wwn_device_id** | **smart_drive_info.lu_wwn_device_id** - Device Identifier | keyword, text.text | -| **mac** | **arp_cache.mac** - MAC address of broadcasted address | keyword, text.text | -| | **ec2_instance_metadata.mac** - MAC address for the first network interface of this EC2 instance | | -| | **interface_details.mac** - MAC of interface (optional) | | -| **mac_address** | **docker_container_networks.mac_address** - MAC address | keyword, text.text | -| **machine** | **elf_info.machine** - Machine type | keyword, number.long | -| **machine_name** | **windows_crashes.machine_name** - Name of the machine where the crash happened | keyword, text.text | -| **magic_db_files** | **magic.magic_db_files** - Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc | keyword, text.text | -| **maintainer** | **apt_sources.maintainer** - Repository maintainer | keyword, text.text | -| | **deb_packages.maintainer** - Package maintainer | | -| **major** | **os_version.major** - Major release version | keyword, number.long | -| **major_version** | **windows_crashes.major_version** - Windows major version of the machine | keyword, number.long | -| **managed** | **lxd_networks.managed** - 1 if network created by LXD, 0 otherwise | keyword, number.long | -| **manifest_hash** | **chrome_extensions.manifest_hash** - The SHA256 hash of the manifest.json file | keyword, text.text | -| **manifest_json** | **chrome_extensions.manifest_json** - The manifest file of the extension | keyword, text.text | -| **manual** | **managed_policies.manual** - 1 if policy was loaded manually, otherwise 0 | keyword, number.long | -| **manufacture_date** | **battery.manufacture_date** - The date the battery was manufactured UNIX Epoch | keyword, number.long | -| **manufacturer** | **battery.manufacturer** - The battery manufacturer's name | keyword, text.text | -| | **chassis_info.manufacturer** - The manufacturer of the chassis. | | -| | **cpu_info.manufacturer** - The manufacturer of the CPU. | | -| | **disk_info.manufacturer** - The manufacturer of the disk. | | -| | **drivers.manufacturer** - Device manufacturer | | -| | **interface_details.manufacturer** - Name of the network adapter's manufacturer. | | -| | **memory_devices.manufacturer** - Manufacturer ID string | | -| | **video_info.manufacturer** - The manufacturer of the gpu. | | -| **manufacturer_id** | **tpm_info.manufacturer_id** - TPM manufacturers ID | keyword, number.long | -| **manufacturer_name** | **tpm_info.manufacturer_name** - TPM manufacturers name | keyword, text.text | -| **manufacturer_version** | **tpm_info.manufacturer_version** - TPM version | keyword, text.text | -| **mask** | **interface_addresses.mask** - Interface netmask | keyword, text.text | -| | **portage_keywords.mask** - If the package is masked | | -| **match** | **chrome_extension_content_scripts.match** - The pattern that the script is matched against | keyword, text.text | -| | **iptables.match** - Matching rule that applies. | | -| **matches** | **yara.matches** - List of YARA matches | keyword, text.text | -| | **yara_events.matches** - List of YARA matches | | -| **max** | **fan_speed_sensors.max** - Maximum speed | keyword, number.long | -| | **shadow.max** - Maximum number of days between password changes | | -| **max_capacity** | **battery.max_capacity** - The battery's actual capacity when it is fully charged in mAh | keyword, number.long | -| | **memory_arrays.max_capacity** - Maximum capacity of array in gigabytes | | -| **max_clock_speed** | **cpu_info.max_clock_speed** - The maximum possible frequency of the CPU. | keyword, number.long | -| **max_instances** | **pipes.max_instances** - The maximum number of instances creatable for this pipe | keyword, number.long | -| **max_speed** | **memory_devices.max_speed** - Max speed of memory device in megatransfers per second (MT/s) | keyword, number.long | -| **max_voltage** | **memory_devices.max_voltage** - Maximum operating voltage of device in millivolts | keyword, number.long | -| **maximum_allowed** | **shared_resources.maximum_allowed** - Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE. | keyword, number.long | -| **md5** | **acpi_tables.md5** - MD5 hash of table content | keyword, text.text | -| | **device_hash.md5** - MD5 hash of provided inode data | | -| | **file_events.md5** - The MD5 of the file after change | | -| | **hash.md5** - MD5 hash of provided filesystem data | | -| | **smbios_tables.md5** - MD5 hash of table entry | | -| **md_device_name** | **md_drives.md_device_name** - md device name | keyword, text.text | -| **mdm_managed** | **system_extensions.mdm_managed** - 1 if managed by MDM system extension payload configuration, 0 otherwise | keyword, number.long | -| **mechanism** | **authorization_mechanisms.mechanism** - Name of the mechanism that will be called | keyword, text.text | -| **med_capability_capabilities** | **lldp_neighbors.med_capability_capabilities** - Is MED capabilities enabled | keyword, number.long | -| **med_capability_inventory** | **lldp_neighbors.med_capability_inventory** - Is MED inventory capability enabled | keyword, number.long | -| **med_capability_location** | **lldp_neighbors.med_capability_location** - Is MED location capability enabled | keyword, number.long | -| **med_capability_mdi_pd** | **lldp_neighbors.med_capability_mdi_pd** - Is MED MDI PD capability enabled | keyword, number.long | -| **med_capability_mdi_pse** | **lldp_neighbors.med_capability_mdi_pse** - Is MED MDI PSE capability enabled | keyword, number.long | -| **med_capability_policy** | **lldp_neighbors.med_capability_policy** - Is MED policy capability enabled | keyword, number.long | -| **med_device_type** | **lldp_neighbors.med_device_type** - Chassis MED type | keyword, text.text | -| **med_policies** | **lldp_neighbors.med_policies** - Comma delimited list of MED policies | keyword, text.text | -| **media_name** | **disk_events.media_name** - Disk event media name string | keyword, text.text | -| **mem** | **docker_container_processes.mem** - Memory utilization as percentage | keyword, number.double | -| **member_config_description** | **lxd_cluster.member_config_description** - Config description | keyword, text.text | -| **member_config_entity** | **lxd_cluster.member_config_entity** - Type of configuration parameter for this node | keyword, text.text | -| **member_config_key** | **lxd_cluster.member_config_key** - Config key | keyword, text.text | -| **member_config_name** | **lxd_cluster.member_config_name** - Name of configuration parameter | keyword, text.text | -| **member_config_value** | **lxd_cluster.member_config_value** - Config value | keyword, text.text | -| **memory** | **docker_info.memory** - Total memory | keyword, number.long | -| **memory_array_error_address** | **memory_error_info.memory_array_error_address** - 32 bit physical address of the error based on the addressing of the bus to which the memory array is connected | keyword, text.text | -| **memory_array_handle** | **memory_array_mapped_addresses.memory_array_handle** - Handle of the memory array associated with this structure | keyword, text.text | -| **memory_array_mapped_address_handle** | **memory_device_mapped_addresses.memory_array_mapped_address_handle** - Handle of the memory array mapped address to which this device range is mapped to | keyword, text.text | -| **memory_device_handle** | **memory_device_mapped_addresses.memory_device_handle** - Handle of the memory device structure associated with this structure | keyword, text.text | -| **memory_error_correction** | **memory_arrays.memory_error_correction** - Primary hardware error correction or detection method supported | keyword, text.text | -| **memory_error_info_handle** | **memory_arrays.memory_error_info_handle** - Handle, or instance number, associated with any error that was detected for the array | keyword, text.text | -| **memory_free** | **memory_info.memory_free** - The amount of physical RAM, in bytes, left unused by the system | keyword, number.long | -| **memory_limit** | **docker_container_stats.memory_limit** - Memory limit | keyword, number.long | -| | **docker_info.memory_limit** - 1 if memory limit support is enabled. 0 otherwise | | -| **memory_max_usage** | **docker_container_stats.memory_max_usage** - Memory maximum usage | keyword, number.long | -| **memory_total** | **memory_info.memory_total** - Total amount of physical RAM, in bytes | keyword, number.long | -| **memory_type** | **memory_devices.memory_type** - Type of memory used | keyword, text.text | -| **memory_type_details** | **memory_devices.memory_type_details** - Additional details for memory device | keyword, text.text | -| **memory_usage** | **docker_container_stats.memory_usage** - Memory usage | keyword, number.long | -| **message** | **apparmor_events.message** - Raw audit message | keyword, text.text | -| | **asl.message** - Message text. | | -| | **lxd_cluster_members.message** - Message from the node (Online/Offline) | | -| | **selinux_events.message** - Message | | -| | **syslog_events.message** - The syslog message | | -| | **user_events.message** - Message from the event | | -| **metadata_endpoint** | **ycloud_instance_metadata.metadata_endpoint** - Endpoint used to fetch VM metadata | keyword, text.text | -| **method** | **curl.method** - The HTTP method for the request | keyword, text.text | -| **metric** | **interface_details.metric** - Metric based on the speed of the interface | keyword, number.long | -| | **routes.metric** - Cost of route. Lowest is preferred | | -| **metric_name** | **prometheus_metrics.metric_name** - Name of collected Prometheus metric | keyword, text.text | -| **metric_value** | **prometheus_metrics.metric_value** - Value of collected Prometheus metric | keyword, number.double | -| **mft_entry** | **shellbags.mft_entry** - Directory master file table entry. | keyword, number.long | -| | **shortcut_files.mft_entry** - Target mft entry. | | -| **mft_sequence** | **shellbags.mft_sequence** - Directory master file table sequence. | keyword, number.long | -| | **shortcut_files.mft_sequence** - Target mft sequence. | | -| **mime_encoding** | **magic.mime_encoding** - MIME encoding data from libmagic | keyword, text.text | -| **mime_type** | **magic.mime_type** - MIME type data from libmagic | keyword, text.text | -| **min** | **fan_speed_sensors.min** - Minimum speed | keyword, number.long | -| | **shadow.min** - Minimal number of days between password changes | | -| **min_api_version** | **docker_version.min_api_version** - Minimum API version supported | keyword, text.text | -| **min_version** | **xprotect_meta.min_version** - The minimum allowed plugin version. | keyword, text.text | -| **min_voltage** | **memory_devices.min_voltage** - Minimum operating voltage of device in millivolts | keyword, number.long | -| **minimum_system_version** | **apps.minimum_system_version** - Minimum version of OS X required for the app to run | keyword, text.text | -| **minor** | **os_version.minor** - Minor release version | keyword, number.long | -| **minor_version** | **windows_crashes.minor_version** - Windows minor version of the machine | keyword, number.long | -| **minute** | **crontab.minute** - The exact minute for the job | keyword, text.text | -| **minutes** | **time.minutes** - Current minutes in UTC | keyword, number.long | -| | **uptime.minutes** - Minutes of uptime | | -| **minutes_to_full_charge** | **battery.minutes_to_full_charge** - The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated | keyword, number.long | -| **minutes_until_empty** | **battery.minutes_until_empty** - The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated | keyword, number.long | -| **mirrorlist** | **yum_sources.mirrorlist** - Mirrorlist URL | keyword, text.text | -| **mnt_namespace** | **docker_containers.mnt_namespace** - Mount namespace | keyword, text.text | -| | **process_namespaces.mnt_namespace** - mnt namespace inode | | -| **mode** | **apparmor_profiles.mode** - How the policy is applied. | keyword, text.text | -| | **device_file.mode** - Permission bits | | -| | **docker_container_mounts.mode** - Mount options (rw, ro) | | -| | **file.mode** - Permission bits | | -| | **file_events.mode** - Permission bits | | -| | **package_bom.mode** - Expected permissions | | -| | **process_events.mode** - File mode permissions | | -| | **process_open_pipes.mode** - Pipe open mode (r/w) | | -| | **rpm_package_files.mode** - File permissions mode from info DB | | -| | **wifi_status.mode** - The current operating mode for the Wi-Fi interface | | -| **model** | **battery.model** - The battery's model number | keyword, text.text | -| | **block_devices.model** - Block device model string identifier | | -| | **chassis_info.model** - The model of the chassis. | | -| | **cpu_info.model** - The model of the CPU. | | -| | **hardware_events.model** - Hardware device model | | -| | **pci_devices.model** - PCI Device model | | -| | **usb_devices.model** - USB Device model string | | -| | **video_info.model** - The model of the gpu. | | -| **model_family** | **smart_drive_info.model_family** - Drive model family | keyword, text.text | -| **model_id** | **hardware_events.model_id** - Hex encoded Hardware model identifier | keyword, text.text | -| | **pci_devices.model_id** - Hex encoded PCI Device model identifier | | -| | **usb_devices.model_id** - Hex encoded USB Device model identifier | | -| **modified** | **authorizations.modified** - Label top-level key | keyword, text.text | -| | **keychain_items.modified** - Date of last modification | | -| **modified_time** | **package_bom.modified_time** - Timestamp the file was installed | keyword, number.long | -| | **shellbags.modified_time** - Directory Modified time. | | -| | **shimcache.modified_time** - File Modified time. | | -| **module** | **windows_crashes.module** - Path of the crashed module within the process | keyword, text.text | -| **module_backtrace** | **kernel_panics.module_backtrace** - Modules appearing in the crashed module's backtrace | keyword, text.text | -| **module_path** | **services.module_path** - Path to ServiceDll | keyword, text.text | -| **month** | **crontab.month** - The month of the year for the job | keyword, text.text | -| | **time.month** - Current month in UTC | | -| **mount_namespace_id** | **deb_packages.mount_namespace_id** - Mount namespace id | keyword, text.text | -| | **file.mount_namespace_id** - Mount namespace id | | -| | **hash.mount_namespace_id** - Mount namespace id | | -| | **npm_packages.mount_namespace_id** - Mount namespace id | | -| | **os_version.mount_namespace_id** - Mount namespace id | | -| | **rpm_packages.mount_namespace_id** - Mount namespace id | | -| **mount_point** | **docker_volumes.mount_point** - Mount point | keyword, text.text | -| **mountable** | **disk_events.mountable** - 1 if mountable, 0 if not | keyword, number.long | -| **msize** | **elf_segments.msize** - Segment offset in memory | keyword, number.long | -| **mtime** | **device_file.mtime** - Last modification time | keyword | -| | **file.mtime** - Last modification time | | -| | **file_events.mtime** - Last modification time | | -| | **gatekeeper_approved_apps.mtime** - Last modification time | | -| | **process_events.mtime** - File modification in UNIX time | | -| | **quicklook_cache.mtime** - Parsed version date field | | -| | **registry.mtime** - timestamp of the most recent registry write | | -| **mtu** | **interface_details.mtu** - Network MTU | keyword, number.long | -| | **lxd_networks.mtu** - MTU size | | -| | **routes.mtu** - Maximum Transmission Unit for the route | | -| **name** | **acpi_tables.name** - ACPI table name | keyword, text.text | -| | **ad_config.name** - The OS X-specific configuration name | | -| | **apparmor_events.name** - Process name | | -| | **apparmor_profiles.name** - Policy name. | | -| | **apps.name** - Name of the Name.app folder | | -| | **apt_sources.name** - Repository name | | -| | **atom_packages.name** - Package display name | | -| | **autoexec.name** - Name of the program | | -| | **azure_instance_metadata.name** - Name of the VM | | -| | **block_devices.name** - Block device name | | -| | **browser_plugins.name** - Plugin display name | | -| | **chocolatey_packages.name** - Package display name | | -| | **chrome_extensions.name** - Extension display name | | -| | **cups_destinations.name** - Name of the printer | | -| | **deb_packages.name** - Package name | | -| | **disk_encryption.name** - Disk name | | -| | **disk_events.name** - Disk event name | | -| | **disk_info.name** - The label of the disk object. | | -| | **dns_cache.name** - DNS record name | | -| | **docker_container_mounts.name** - Optional mount name | | -| | **docker_container_networks.name** - Network name | | -| | **docker_container_processes.name** - The process path or shorthand argv[0] | | -| | **docker_container_stats.name** - Container name | | -| | **docker_containers.name** - Container name | | -| | **docker_info.name** - Name of the docker host | | -| | **docker_networks.name** - Network name | | -| | **docker_volume_labels.name** - Volume name | | -| | **docker_volumes.name** - Volume name | | -| | **elf_sections.name** - Section name | | -| | **elf_segments.name** - Segment type/name | | -| | **elf_symbols.name** - Symbol name | | -| | **etc_protocols.name** - Protocol name | | -| | **etc_services.name** - Service name | | -| | **example.name** - Description for name column | | -| | **fan_speed_sensors.name** - Fan name | | -| | **fbsd_kmods.name** - Module name | | -| | **firefox_addons.name** - Addon display name | | -| | **homebrew_packages.name** - Package name | | -| | **ie_extensions.name** - Extension display name | | -| | **iokit_devicetree.name** - Device node name | | -| | **iokit_registry.name** - Default name of the node | | -| | **kernel_extensions.name** - Extension label | | -| | **kernel_modules.name** - Module name | | -| | **kernel_panics.name** - Process name corresponding to crashed thread | | -| | **launchd.name** - File name of plist (used by launchd) | | -| | **lxd_certificates.name** - Name of the certificate | | -| | **lxd_instance_config.name** - Instance name | | -| | **lxd_instance_devices.name** - Instance name | | -| | **lxd_instances.name** - Instance name | | -| | **lxd_networks.name** - Name of the network | | -| | **lxd_storage_pools.name** - Name of the storage pool | | -| | **managed_policies.name** - Policy key name | | -| | **md_personalities.name** - Name of personality supported by kernel | | -| | **memory_map.name** - Region name | | -| | **npm_packages.name** - Package display name | | -| | **ntdomains.name** - The label by which the object is known. | | -| | **nvram.name** - Variable name | | -| | **os_version.name** - Distribution or product name | | -| | **osquery_events.name** - Event publisher or subscriber name | | -| | **osquery_extensions.name** - Extension's name | | -| | **osquery_flags.name** - Flag name | | -| | **osquery_packs.name** - The given name for this query pack | | -| | **osquery_registry.name** - Name of the plugin item | | -| | **osquery_schedule.name** - The given name for this query | | -| | **package_install_history.name** - Package display name | | -| | **physical_disk_performance.name** - Name of the physical disk | | -| | **pipes.name** - Name of the pipe | | -| | **pkg_packages.name** - Package name | | -| | **power_sensors.name** - Name of power source | | -| | **processes.name** - The process path or shorthand argv[0] | | -| | **programs.name** - Commonly used product name. | | -| | **python_packages.name** - Package display name | | -| | **registry.name** - Name of the registry value entry | | -| | **rpm_packages.name** - RPM package name | | -| | **safari_extensions.name** - Extension display name | | -| | **scheduled_tasks.name** - Name of the scheduled task | | -| | **services.name** - Service name | | -| | **shared_folders.name** - The shared name of the folder as it appears to other users | | -| | **shared_resources.name** - Alias given to a path set up as a share on a computer system running Windows. | | -| | **startup_items.name** - Name of startup item | | -| | **system_controls.name** - Full sysctl MIB name | | -| | **temperature_sensors.name** - Name of temperature source | | -| | **windows_firewall_rules.name** - Friendly name of the rule | | -| | **windows_optional_features.name** - Name of the feature | | -| | **windows_security_products.name** - Name of product | | -| | **wmi_bios_info.name** - Name of the Bios setting | | -| | **wmi_cli_event_consumers.name** - Unique name of a consumer. | | -| | **wmi_event_filters.name** - Unique identifier of an event filter. | | -| | **wmi_script_event_consumers.name** - Unique identifier for the event consumer. | | -| | **xprotect_entries.name** - Description of XProtected malware | | -| | **xprotect_reports.name** - Description of XProtected malware | | -| | **ycloud_instance_metadata.name** - Name of the VM | | -| | **yum_sources.name** - Repository name | | -| **name_constraints** | **curl_certificate.name_constraints** - Name Constraints | keyword, text.text | -| **namespace** | **apparmor_events.namespace** - AppArmor namespace | keyword, text.text | -| **native** | **browser_plugins.native** - Plugin requires native execution | keyword, number.long | -| | **firefox_addons.native** - 1 If the addon includes binary components else 0 | | -| **net_namespace** | **docker_containers.net_namespace** - Network namespace | keyword, text.text | -| | **listening_ports.net_namespace** - The inode number of the network namespace | | -| | **process_namespaces.net_namespace** - net namespace inode | | -| | **process_open_sockets.net_namespace** - The inode number of the network namespace | | -| **netmask** | **dns_resolvers.netmask** - Address (sortlist) netmask length | keyword, text.text | -| | **routes.netmask** - Netmask length | | -| **network_id** | **docker_container_networks.network_id** - Network ID | keyword, text.text | -| **network_name** | **wifi_networks.network_name** - Name of the network | keyword, text.text | -| | **wifi_status.network_name** - Name of the network | | -| | **wifi_survey.network_name** - Name of the network | | -| **network_rx_bytes** | **docker_container_stats.network_rx_bytes** - Total network bytes read | keyword, number.long | -| **network_tx_bytes** | **docker_container_stats.network_tx_bytes** - Total network bytes transmitted | keyword, number.long | -| **next_run_time** | **scheduled_tasks.next_run_time** - Timestamp the task is scheduled to run next | keyword, number.long | -| **nice** | **cpu_time.nice** - Time spent in user mode with low priority (nice) | keyword, number.long | -| | **docker_container_processes.nice** - Process nice level (-20 to 20, default 0) | | -| | **processes.nice** - Process nice level (-20 to 20, default 0) | | -| **no_proxy** | **docker_info.no_proxy** - Comma-separated list of domain extensions proxy should not be used for | keyword, text.text | -| **node** | **augeas.node** - The node path of the configuration item | keyword, text.text | -| **node_ref_number** | **ntfs_journal_events.node_ref_number** - The ordinal that associates a journal record with a filename | keyword, text.text | -| **noise** | **wifi_status.noise** - The current noise measurement (dBm) | keyword, number.long | -| | **wifi_survey.noise** - The current noise measurement (dBm) | | -| **not_valid_after** | **certificates.not_valid_after** - Certificate expiration data | keyword, text.text | -| **not_valid_before** | **certificates.not_valid_before** - Lower bound of valid date | keyword, text.text | -| **nr_raid_disks** | **md_devices.nr_raid_disks** - Number of partitions or disk devices to comprise the array | keyword, number.long | -| **ntime** | **bpf_process_events.ntime** - The nsecs uptime timestamp as obtained from BPF | keyword, text.text | -| | **bpf_socket_events.ntime** - The nsecs uptime timestamp as obtained from BPF | | -| **num_procs** | **docker_container_stats.num_procs** - Number of processors | keyword, number.long | -| **number** | **etc_protocols.number** - Protocol number | keyword, number.long | -| | **oem_strings.number** - The string index of the structure | | -| | **smbios_tables.number** - Table entry number | | -| **number_memory_devices** | **memory_arrays.number_memory_devices** - Number of memory devices on array | keyword, number.long | -| **number_of_cores** | **cpu_info.number_of_cores** - The number of cores of the CPU. | keyword, text.text | -| **object_name** | **winbaseobj.object_name** - Object Name | keyword, text.text | -| **object_path** | **systemd_units.object_path** - The object path for this unit | keyword, text.text | -| **object_type** | **winbaseobj.object_type** - Object Type | keyword, text.text | -| **obytes** | **interface_details.obytes** - Output bytes | keyword, number.long | -| **odrops** | **interface_details.odrops** - Output drops | keyword, number.long | -| **oerrors** | **interface_details.oerrors** - Output errors | keyword, number.long | -| **offer** | **azure_instance_metadata.offer** - Offer information for the VM image (Azure image gallery VMs only) | keyword, text.text | -| **offset** | **device_partitions.offset** - | keyword, number.long | -| | **elf_sections.offset** - Offset of section in file | | -| | **elf_segments.offset** - Segment offset in file | | -| | **elf_symbols.offset** - Section table index | | -| | **process_memory_map.offset** - Offset into mapped path | | -| **oid** | **system_controls.oid** - Control MIB | keyword, text.text | -| **old_path** | **ntfs_journal_events.old_path** - Old path (renames only) | keyword, text.text | -| **on_demand** | **launchd.on_demand** - Deprecated key, replaced by keep_alive | keyword, text.text | -| **on_disk** | **processes.on_disk** - The process path exists yes=1, no=0, unknown=-1 | keyword, number.long | -| **online_cpus** | **docker_container_stats.online_cpus** - Online CPUs | keyword, number.long | -| **oom_kill_disable** | **docker_info.oom_kill_disable** - 1 if Out-of-memory kill is disabled. 0 otherwise | keyword, number.long | -| **opackets** | **interface_details.opackets** - Output packets | keyword, number.long | -| **opaque_version** | **gatekeeper.opaque_version** - Version of Gatekeeper's gkopaque.bundle | keyword, text.text | -| **operation** | **apparmor_events.operation** - Permission requested by the process | keyword, text.text | -| | **process_file_events.operation** - Operation type | | -| **option** | **ad_config.option** - Canonical name of option | keyword, text.text | -| | **ssh_configs.option** - The option and value | | -| **option_name** | **cups_destinations.option_name** - Option name | keyword, text.text | -| **option_value** | **cups_destinations.option_value** - Option value | keyword, text.text | -| **optional** | **xprotect_entries.optional** - Match any of the identities/patterns for this XProtect name | keyword, number.long | -| **optional_permissions** | **chrome_extensions.optional_permissions** - The permissions optionally required by the extensions | keyword, text.text | -| **optional_permissions_json** | **chrome_extensions.optional_permissions_json** - The JSON-encoded permissions optionally required by the extensions | keyword, text.text | -| **options** | **dns_resolvers.options** - Resolver options | keyword | -| | **nfs_shares.options** - Options string set on the export share | | -| **organization** | **curl_certificate.organization** - Organization issued to | keyword, text.text | -| **organization_unit** | **curl_certificate.organization_unit** - Organization unit issued to | keyword, text.text | -| **original_parent** | **es_process_events.original_parent** - Original parent process ID in case of reparenting | keyword, number.long | -| **original_program_name** | **authenticode.original_program_name** - The original program name that the publisher has signed | keyword, text.text | -| **os** | **docker_info.os** - Operating system | keyword, text.text | -| | **docker_version.os** - Operating system | | -| | **lxd_images.os** - OS on which image is based | | -| | **lxd_instances.os** - The OS of this instance | | -| **os_type** | **azure_instance_metadata.os_type** - Linux or Windows | keyword, text.text | -| | **docker_info.os_type** - Operating system type | | -| **os_version** | **kernel_panics.os_version** - Version of the operating system | keyword, text.text | -| **other** | **md_devices.other** - Other information associated with array from /proc/mdstat | keyword, text.text | -| **other_run_times** | **prefetch.other_run_times** - Other execution times in prefetch file. | keyword, text.text | -| **ouid** | **apparmor_events.ouid** - Object owner's user ID | keyword, number.long | -| **outiface** | **iptables.outiface** - Output interface for the rule. | keyword, text.text | -| **outiface_mask** | **iptables.outiface_mask** - Output interface mask for the rule. | keyword, text.text | -| **output_bit** | **cpuid.output_bit** - Bit in register value for feature value | keyword, number.long | -| **output_register** | **cpuid.output_register** - Register used to for feature value | keyword, text.text | -| **output_size** | **osquery_schedule.output_size** - Cumulative total number of bytes generated by the resultant rows of the query | keyword, number.long | -| **overflows** | **process_events.overflows** - List of structures that overflowed | keyword, text.text | -| **owned** | **tpm_info.owned** - TPM is ownned | keyword, number.long | -| **owner_gid** | **process_events.owner_gid** - File owner group ID | keyword, number.long | -| **owner_uid** | **process_events.owner_uid** - File owner user ID | keyword, number.long | -| | **shared_memory.owner_uid** - User ID of owning process | | -| **owner_uuid** | **osquery_registry.owner_uuid** - Extension route UUID (0 for core) | keyword, number.long | -| **package** | **portage_keywords.package** - Package name | keyword, text.text | -| | **portage_packages.package** - Package name | | -| | **portage_use.package** - Package name | | -| | **rpm_package_files.package** - RPM package name | | -| **package_filename** | **package_receipts.package_filename** - Filename of original .pkg file | keyword, text.text | -| **package_group** | **rpm_packages.package_group** - Package group | keyword, text.text | -| **package_id** | **package_install_history.package_id** - Label packageIdentifiers | keyword, text.text | -| | **package_receipts.package_id** - Package domain identifier | | -| **packet_device_type** | **smart_drive_info.packet_device_type** - Packet device type | keyword, text.text | -| **packets** | **iptables.packets** - Number of matching packets for this rule. | keyword, number.long | -| **packets_received** | **lxd_networks.packets_received** - Number of packets received on this network | keyword, number.long | -| **packets_sent** | **lxd_networks.packets_sent** - Number of packets sent on this network | keyword, number.long | -| **page_ins** | **virtual_memory_info.page_ins** - The total number of requests for pages from a pager. | keyword, number.long | -| **page_outs** | **virtual_memory_info.page_outs** - Total number of pages paged out. | keyword, number.long | -| **parent** | **apparmor_events.parent** - Parent process PID | keyword | -| | **block_devices.parent** - Block device parent name | | -| | **bpf_process_events.parent** - Parent process ID | | -| | **bpf_socket_events.parent** - Parent process ID | | -| | **crashes.parent** - Parent PID of the crashed process | | -| | **docker_container_processes.parent** - Process parent's PID | | -| | **es_process_events.parent** - Parent process ID | | -| | **iokit_devicetree.parent** - Parent device registry ID | | -| | **iokit_registry.parent** - Parent registry ID | | -| | **process_events.parent** - Process parent's PID, or -1 if cannot be determined. | | -| | **processes.parent** - Process parent's PID | | -| **parent_ref_number** | **ntfs_journal_events.parent_ref_number** - The ordinal that associates a journal record with a filename's parent directory | keyword, text.text | -| **part_number** | **memory_devices.part_number** - Manufacturer specific serial number of memory device | keyword, text.text | -| **partial** | **ntfs_journal_events.partial** - Set to 1 if either path or old_path only contains the file or folder name | keyword | -| | **process_file_events.partial** - True if this is a partial event (i.e.: this process existed before we started osquery) | | -| **partition** | **device_file.partition** - A partition number | keyword, text.text | -| | **device_hash.partition** - A partition number | | -| | **device_partitions.partition** - A partition number or description | | -| **partition_row_position** | **memory_device_mapped_addresses.partition_row_position** - Identifies the position of the referenced memory device in a row of the address partition | keyword, number.long | -| **partition_width** | **memory_array_mapped_addresses.partition_width** - Number of memory devices that form a single row of memory for the address partition of this structure | keyword, number.long | -| **partitions** | **disk_info.partitions** - Number of detected partitions on disk. | keyword, number.long | -| **partner_fd** | **process_open_pipes.partner_fd** - File descriptor of shared pipe at partner's end | keyword, number.long | -| **partner_mode** | **process_open_pipes.partner_mode** - Mode of shared pipe at partner's end | keyword, text.text | -| **partner_pid** | **process_open_pipes.partner_pid** - Process ID of partner process sharing a particular pipe | keyword, number.long | -| **passpoint** | **wifi_networks.passpoint** - 1 if Passpoint is supported, 0 otherwise | keyword, number.long | -| **password_last_set_time** | **account_policy_data.password_last_set_time** - The time the password was last changed | keyword, number.double | -| **password_status** | **shadow.password_status** - Password status | keyword, text.text | -| **patch** | **os_version.patch** - Optional patch release | keyword, number.long | -| **path** | **alf_exceptions.path** - Path to the executable that is excepted | keyword, text.text | -| | **apparmor_profiles.path** - Unique, aa-status compatible, policy identifier. | | -| | **appcompat_shims.path** - This is the path to the SDB database. | | -| | **apps.path** - Absolute and full Name.app path | | -| | **atom_packages.path** - Package's package.json path | | -| | **augeas.path** - The path to the configuration file | | -| | **authenticode.path** - Must provide a path or directory | | -| | **autoexec.path** - Path to the executable | | -| | **background_activities_moderator.path** - Application file path. | | -| | **bpf_process_events.path** - Binary path | | -| | **bpf_socket_events.path** - Path of executed file | | -| | **browser_plugins.path** - Path to plugin bundle | | -| | **carves.path** - The path of the requested carve | | -| | **certificates.path** - Path to Keychain or PEM bundle | | -| | **chocolatey_packages.path** - Path at which this package resides | | -| | **chrome_extension_content_scripts.path** - Path to extension folder | | -| | **chrome_extensions.path** - Path to extension folder | | -| | **crashes.path** - Path to the crashed process | | -| | **crontab.path** - File parsed | | -| | **device_file.path** - A logical path within the device node | | -| | **disk_events.path** - Path of the DMG file accessed | | -| | **docker_container_fs_changes.path** - FIle or directory path relative to rootfs | | -| | **docker_containers.path** - Container path | | -| | **elf_dynamic.path** - Path to ELF file | | -| | **elf_info.path** - Path to ELF file | | -| | **elf_sections.path** - Path to ELF file | | -| | **elf_segments.path** - Path to ELF file | | -| | **elf_symbols.path** - Path to ELF file | | -| | **es_process_events.path** - Path of executed file | | -| | **example.path** - Path of example | | -| | **extended_attributes.path** - Absolute file path | | -| | **file.path** - Absolute file path | | -| | **firefox_addons.path** - Path to plugin bundle | | -| | **gatekeeper_approved_apps.path** - Path of executable allowed to run | | -| | **hardware_events.path** - Local device path assigned (optional) | | -| | **hash.path** - Must provide a path or directory | | -| | **homebrew_packages.path** - Package install path | | -| | **ie_extensions.path** - Path to executable | | -| | **kernel_extensions.path** - Optional path to extension bundle | | -| | **kernel_info.path** - Kernel path | | -| | **kernel_panics.path** - Location of log file | | -| | **keychain_acls.path** - The path of the authorized application | | -| | **keychain_items.path** - Path to keychain containing item | | -| | **launchd.path** - Path to daemon or agent plist | | -| | **launchd_overrides.path** - Path to daemon or agent plist | | -| | **listening_ports.path** - Path for UNIX domain sockets | | -| | **magic.path** - Absolute path to target file | | -| | **mdfind.path** - Path of the file returned from spotlight | | -| | **mdls.path** - Path of the file | | -| | **mounts.path** - Mounted device path | | -| | **npm_packages.path** - Module's package.json path | | -| | **ntfs_acl_permissions.path** - Path to the file or directory. | | -| | **ntfs_journal_events.path** - Path | | -| | **office_mru.path** - File path | | -| | **osquery_extensions.path** - Path of the extension's Thrift connection or library path | | -| | **package_bom.path** - Path of package bom | | -| | **package_receipts.path** - Path of receipt plist | | -| | **plist.path** - (required) read preferences from a plist | | -| | **prefetch.path** - Prefetch file path. | | -| | **process_events.path** - Path of executed file | | -| | **process_file_events.path** - The path associated with the event | | -| | **process_memory_map.path** - Path to mapped file or mapped type | | -| | **process_open_files.path** - Filesystem path of descriptor | | -| | **process_open_sockets.path** - For UNIX sockets (family=AF_UNIX), the domain path | | -| | **processes.path** - Path to executed binary | | -| | **python_packages.path** - Path at which this module resides | | -| | **quicklook_cache.path** - Path of file | | -| | **registry.path** - Full path to the value | | -| | **rpm_package_files.path** - File path within the package | | -| | **safari_extensions.path** - Path to extension XAR bundle | | -| | **sandboxes.path** - Path to sandbox container directory | | -| | **scheduled_tasks.path** - Path to the executable to be run | | -| | **services.path** - Path to Service Executable | | -| | **shared_folders.path** - Absolute path of shared folder on the local system | | -| | **shared_resources.path** - Local path of the Windows share. | | -| | **shellbags.path** - Directory name. | | -| | **shimcache.path** - This is the path to the executed file. | | -| | **shortcut_files.path** - Directory name. | | -| | **signature.path** - Must provide a path or directory | | -| | **socket_events.path** - Path of executed file | | -| | **startup_items.path** - Path of startup item | | -| | **suid_bin.path** - Binary path | | -| | **system_extensions.path** - Original path of system extension | | -| | **user_events.path** - Supplied path from event | | -| | **user_ssh_keys.path** - Path to key file | | -| | **userassist.path** - Application file path. | | -| | **windows_crashes.path** - Path of the executable file for the crashed process | | -| | **yara.path** - The path scanned | | -| **pci_class** | **pci_devices.pci_class** - PCI Device class | keyword, text.text | -| **pci_class_id** | **pci_devices.pci_class_id** - PCI Device class ID in hex format | keyword, text.text | -| **pci_slot** | **interface_details.pci_slot** - PCI slot number | keyword, text.text | -| | **pci_devices.pci_slot** - PCI Device used slot | | -| **pci_subclass** | **pci_devices.pci_subclass** - PCI Device subclass | keyword, text.text | -| **pci_subclass_id** | **pci_devices.pci_subclass_id** - PCI Device subclass in hex format | keyword, text.text | -| **pem** | **curl_certificate.pem** - Certificate PEM format | keyword, text.text | -| **percent_disk_read_time** | **physical_disk_performance.percent_disk_read_time** - Percentage of elapsed time that the selected disk drive is busy servicing read requests | keyword, number.long | -| **percent_disk_time** | **physical_disk_performance.percent_disk_time** - Percentage of elapsed time that the selected disk drive is busy servicing read or write requests | keyword, number.long | -| **percent_disk_write_time** | **physical_disk_performance.percent_disk_write_time** - Percentage of elapsed time that the selected disk drive is busy servicing write requests | keyword, number.long | -| **percent_idle_time** | **physical_disk_performance.percent_idle_time** - Percentage of time during the sample interval that the disk was idle | keyword, number.long | -| **percent_processor_time** | **processes.percent_processor_time** - Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks. | keyword, number.long | -| **percent_remaining** | **battery.percent_remaining** - The percentage of battery remaining before it is drained | keyword, number.long | -| **percentage_encrypted** | **bitlocker_info.percentage_encrypted** - The percentage of the drive that is encrypted. | keyword, number.long | -| **perf_ctl** | **msr.perf_ctl** - Performance setting for the processor. | keyword, number.long | -| **perf_status** | **msr.perf_status** - Performance status for the processor. | keyword, number.long | -| **period** | **load_average.period** - Period over which the average is calculated. | keyword, text.text | -| **permanent** | **arp_cache.permanent** - 1 for true, 0 for false | keyword, text.text | -| **permissions** | **chrome_extensions.permissions** - The permissions required by the extension | keyword, text.text | -| | **process_memory_map.permissions** - r=read, w=write, x=execute, p=private (cow) | | -| | **shared_memory.permissions** - Memory segment permissions | | -| | **suid_bin.permissions** - Binary permissions | | -| **permissions_json** | **chrome_extensions.permissions_json** - The JSON-encoded permissions required by the extension | keyword, text.text | -| **persistent** | **chrome_extensions.persistent** - 1 If extension is persistent across all tabs else 0 | keyword, number.long | -| **persistent_volume_id** | **bitlocker_info.persistent_volume_id** - Persistent ID of the drive. | keyword, text.text | -| **pgroup** | **docker_container_processes.pgroup** - Process group | keyword, number.long | -| | **processes.pgroup** - Process group | | -| **physical_adapter** | **interface_details.physical_adapter** - Indicates whether the adapter is a physical or a logical adapter. | keyword, number.long | -| **physical_memory** | **system_info.physical_memory** - Total physical memory in bytes | keyword, number.long | -| **physical_presence_version** | **tpm_info.physical_presence_version** - Version of the Physical Presence Interface | keyword, text.text | -| **pid** | **apparmor_events.pid** - Process ID | keyword, number.long | -| | **asl.pid** - Sending process ID encoded as a string. Set automatically. | | -| | **bpf_process_events.pid** - Process ID | | -| | **bpf_socket_events.pid** - Process ID | | -| | **crashes.pid** - Process (or thread) ID of the crashed process | | -| | **docker_container_processes.pid** - Process ID | | -| | **docker_containers.pid** - Identifier of the initial process | | -| | **es_process_events.pid** - Process (or thread) ID | | -| | **last.pid** - Process (or thread) ID | | -| | **listening_ports.pid** - Process (or thread) ID | | -| | **logged_in_users.pid** - Process (or thread) ID | | -| | **lxd_instances.pid** - Instance's process ID | | -| | **osquery_info.pid** - Process (or thread/handle) ID | | -| | **pipes.pid** - Process ID of the process to which the pipe belongs | | -| | **process_envs.pid** - Process (or thread) ID | | -| | **process_events.pid** - Process (or thread) ID | | -| | **process_file_events.pid** - Process ID | | -| | **process_memory_map.pid** - Process (or thread) ID | | -| | **process_namespaces.pid** - Process (or thread) ID | | -| | **process_open_files.pid** - Process (or thread) ID | | -| | **process_open_pipes.pid** - Process ID | | -| | **process_open_sockets.pid** - Process (or thread) ID | | -| | **processes.pid** - Process (or thread) ID | | -| | **running_apps.pid** - The pid of the application | | -| | **seccomp_events.pid** - Process ID | | -| | **services.pid** - the Process ID of the service | | -| | **shared_memory.pid** - Process ID to last use the segment | | -| | **socket_events.pid** - Process (or thread) ID | | -| | **user_events.pid** - Process (or thread) ID | | -| | **windows_crashes.pid** - Process ID of the crashed process | | -| | **windows_eventlog.pid** - Process ID which emitted the event record | | -| **pid_namespace** | **docker_containers.pid_namespace** - PID namespace | keyword, text.text | -| | **process_namespaces.pid_namespace** - pid namespace inode | | -| **pid_with_namespace** | **apt_sources.pid_with_namespace** - Pids that contain a namespace | keyword, number.long | -| | **authorized_keys.pid_with_namespace** - Pids that contain a namespace | | -| | **crontab.pid_with_namespace** - Pids that contain a namespace | | -| | **deb_packages.pid_with_namespace** - Pids that contain a namespace | | -| | **dns_resolvers.pid_with_namespace** - Pids that contain a namespace | | -| | **etc_hosts.pid_with_namespace** - Pids that contain a namespace | | -| | **file.pid_with_namespace** - Pids that contain a namespace | | -| | **groups.pid_with_namespace** - Pids that contain a namespace | | -| | **hash.pid_with_namespace** - Pids that contain a namespace | | -| | **npm_packages.pid_with_namespace** - Pids that contain a namespace | | -| | **os_version.pid_with_namespace** - Pids that contain a namespace | | -| | **python_packages.pid_with_namespace** - Pids that contain a namespace | | -| | **rpm_packages.pid_with_namespace** - Pids that contain a namespace | | -| | **suid_bin.pid_with_namespace** - Pids that contain a namespace | | -| | **user_ssh_keys.pid_with_namespace** - Pids that contain a namespace | | -| | **users.pid_with_namespace** - Pids that contain a namespace | | -| | **yum_sources.pid_with_namespace** - Pids that contain a namespace | | -| **pids** | **docker_container_stats.pids** - Number of processes | keyword | -| | **lldp_neighbors.pids** - Comma delimited list of PIDs | | -| **placement_group_id** | **azure_instance_metadata.placement_group_id** - Placement group for the VM scale set | keyword, text.text | -| **platform** | **os_version.platform** - OS Platform or ID | keyword, text.text | -| | **osquery_packs.platform** - Platforms this query is supported on | | -| **platform_binary** | **es_process_events.platform_binary** - Indicates if the binary is Apple signed binary (1) or not (0) | keyword, number.long | -| **platform_fault_domain** | **azure_instance_metadata.platform_fault_domain** - Fault domain the VM is running in | keyword, text.text | -| **platform_info** | **msr.platform_info** - Platform information. | keyword, number.long | -| **platform_like** | **os_version.platform_like** - Closely related platforms | keyword, text.text | -| **platform_mask** | **osquery_info.platform_mask** - The osquery platform bitmask | keyword, number.long | -| **platform_update_domain** | **azure_instance_metadata.platform_update_domain** - Update domain the VM is running in | keyword, text.text | -| **plugin** | **authorization_mechanisms.plugin** - Authorization plugin name | keyword, text.text | -| **pnp_device_id** | **disk_info.pnp_device_id** - The unique identifier of the drive on the system. | keyword, text.text | -| **point_to_point** | **interface_addresses.point_to_point** - PtP address for the interface | keyword, text.text | -| **points** | **example.points** - This is a signed SQLite int column | keyword, number.long | -| **policies** | **curl_certificate.policies** - Certificate Policies | keyword, text.text | -| **policy** | **iptables.policy** - Policy that applies for this rule. | keyword, text.text | -| **policy_constraints** | **curl_certificate.policy_constraints** - Policy Constraints | keyword, text.text | -| **policy_mappings** | **curl_certificate.policy_mappings** - Policy Mappings | keyword, text.text | -| **port** | **docker_container_ports.port** - Port inside the container | keyword, number.long | -| | **etc_services.port** - Service port number | | -| | **listening_ports.port** - Transport layer port | | -| **port_aggregation_id** | **lldp_neighbors.port_aggregation_id** - Port aggregation ID | keyword, text.text | -| **port_autoneg_1000baset_fd_enabled** | **lldp_neighbors.port_autoneg_1000baset_fd_enabled** - 1000Base-T FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_1000baset_hd_enabled** | **lldp_neighbors.port_autoneg_1000baset_hd_enabled** - 1000Base-T HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_1000basex_fd_enabled** | **lldp_neighbors.port_autoneg_1000basex_fd_enabled** - 1000Base-X FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_1000basex_hd_enabled** | **lldp_neighbors.port_autoneg_1000basex_hd_enabled** - 1000Base-X HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100baset2_fd_enabled** | **lldp_neighbors.port_autoneg_100baset2_fd_enabled** - 100Base-T2 FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100baset2_hd_enabled** | **lldp_neighbors.port_autoneg_100baset2_hd_enabled** - 100Base-T2 HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100baset4_fd_enabled** | **lldp_neighbors.port_autoneg_100baset4_fd_enabled** - 100Base-T4 FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100baset4_hd_enabled** | **lldp_neighbors.port_autoneg_100baset4_hd_enabled** - 100Base-T4 HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100basetx_fd_enabled** | **lldp_neighbors.port_autoneg_100basetx_fd_enabled** - 100Base-TX FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_100basetx_hd_enabled** | **lldp_neighbors.port_autoneg_100basetx_hd_enabled** - 100Base-TX HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_10baset_fd_enabled** | **lldp_neighbors.port_autoneg_10baset_fd_enabled** - 10Base-T FD auto negotiation enabled | keyword, number.long | -| **port_autoneg_10baset_hd_enabled** | **lldp_neighbors.port_autoneg_10baset_hd_enabled** - 10Base-T HD auto negotiation enabled | keyword, number.long | -| **port_autoneg_enabled** | **lldp_neighbors.port_autoneg_enabled** - Is auto negotiation enabled | keyword, number.long | -| **port_autoneg_supported** | **lldp_neighbors.port_autoneg_supported** - Auto negotiation supported | keyword, number.long | -| **port_description** | **lldp_neighbors.port_description** - Port description | keyword, text.text | -| **port_id** | **lldp_neighbors.port_id** - Port ID value | keyword, text.text | -| **port_id_type** | **lldp_neighbors.port_id_type** - Port ID type | keyword, text.text | -| **port_mau_type** | **lldp_neighbors.port_mau_type** - MAU type | keyword, text.text | -| **port_mfs** | **lldp_neighbors.port_mfs** - Port max frame size | keyword, number.long | -| **port_ttl** | **lldp_neighbors.port_ttl** - Age of neighbor port | keyword, number.long | -| **possibly_hidden** | **wifi_networks.possibly_hidden** - 1 if network is possibly a hidden network, 0 otherwise | keyword, number.long | -| **power_8023at_enabled** | **lldp_neighbors.power_8023at_enabled** - Is 802.3at enabled | keyword, number.long | -| **power_8023at_power_allocated** | **lldp_neighbors.power_8023at_power_allocated** - 802.3at power allocated | keyword, text.text | -| **power_8023at_power_priority** | **lldp_neighbors.power_8023at_power_priority** - 802.3at power priority | keyword, text.text | -| **power_8023at_power_requested** | **lldp_neighbors.power_8023at_power_requested** - 802.3at power requested | keyword, text.text | -| **power_8023at_power_source** | **lldp_neighbors.power_8023at_power_source** - 802.3at power source | keyword, text.text | -| **power_8023at_power_type** | **lldp_neighbors.power_8023at_power_type** - 802.3at power type | keyword, text.text | -| **power_class** | **lldp_neighbors.power_class** - Power class | keyword, text.text | -| **power_device_type** | **lldp_neighbors.power_device_type** - Dot3 power device type | keyword, text.text | -| **power_mdi_enabled** | **lldp_neighbors.power_mdi_enabled** - Is MDI power enabled | keyword, number.long | -| **power_mdi_supported** | **lldp_neighbors.power_mdi_supported** - MDI power supported | keyword, number.long | -| **power_mode** | **smart_drive_info.power_mode** - Device power mode | keyword, text.text | -| **power_paircontrol_enabled** | **lldp_neighbors.power_paircontrol_enabled** - Is power pair control enabled | keyword, number.long | -| **power_pairs** | **lldp_neighbors.power_pairs** - Dot3 power pairs | keyword, text.text | -| **ppid** | **process_file_events.ppid** - Parent process ID | keyword, number.long | -| **ppvids_enabled** | **lldp_neighbors.ppvids_enabled** - Comma delimited list of enabled PPVIDs | keyword, text.text | -| **ppvids_supported** | **lldp_neighbors.ppvids_supported** - Comma delimited list of supported PPVIDs | keyword, text.text | -| **pre_cpu_kernelmode_usage** | **docker_container_stats.pre_cpu_kernelmode_usage** - Last read CPU kernel mode usage | keyword, number.long | -| **pre_cpu_total_usage** | **docker_container_stats.pre_cpu_total_usage** - Last read total CPU usage | keyword, number.long | -| **pre_cpu_usermode_usage** | **docker_container_stats.pre_cpu_usermode_usage** - Last read CPU user mode usage | keyword, number.long | -| **pre_online_cpus** | **docker_container_stats.pre_online_cpus** - Last read online CPUs | keyword, number.long | -| **pre_system_cpu_usage** | **docker_container_stats.pre_system_cpu_usage** - Last read CPU system usage | keyword, number.long | -| **prefix** | **homebrew_packages.prefix** - Homebrew install prefix | keyword, text.text | -| **preread** | **docker_container_stats.preread** - UNIX time when stats were last read | keyword, number.long | -| **principal** | **ntfs_acl_permissions.principal** - User or group to which the ACE applies. | keyword, text.text | -| **printer_sharing** | **sharing_preferences.printer_sharing** - 1 If printer sharing is enabled else 0 | keyword, number.long | -| **priority** | **deb_packages.priority** - Package priority | keyword, text.text | -| **privileged** | **authorization_mechanisms.privileged** - If privileged it will run as root, else as an anonymous user | keyword, text.text | -| | **docker_containers.privileged** - Is the container privileged | | -| **probe_error** | **bpf_process_events.probe_error** - Set to 1 if one or more buffers could not be captured | keyword, number.long | -| | **bpf_socket_events.probe_error** - Set to 1 if one or more buffers could not be captured | | -| **process** | **alf_explicit_auths.process** - Process name explicitly allowed | keyword, text.text | -| **process_being_tapped** | **event_taps.process_being_tapped** - The process ID of the target application | keyword, number.long | -| **process_type** | **launchd.process_type** - Key describes the intended purpose of the job | keyword, text.text | -| **process_uptime** | **windows_crashes.process_uptime** - Uptime of the process in seconds | keyword, number.long | -| **processes** | **lxd_instances.processes** - Number of processes running inside this instance | keyword, number.long | -| **processing_time** | **cups_jobs.processing_time** - How long the job took to process | keyword, number.long | -| **processor_number** | **msr.processor_number** - The processor number as reported in /proc/cpuinfo | keyword, number.long | -| **processor_type** | **cpu_info.processor_type** - The processor type, such as Central, Math, or Video. | keyword, text.text | -| **product_name** | **tpm_info.product_name** - Product name of the TPM | keyword, text.text | -| **product_version** | **file.product_version** - File product version | keyword, text.text | -| **profile** | **apparmor_events.profile** - Apparmor profile name | keyword, text.text | -| | **chrome_extensions.profile** - The name of the Chrome profile that contains this extension | | -| **profile_domain** | **windows_firewall_rules.profile_domain** - 1 if the rule profile type is domain | keyword, number.long | -| **profile_path** | **chrome_extension_content_scripts.profile_path** - The profile path | keyword, text.text | -| | **chrome_extensions.profile_path** - The profile path | | -| | **logon_sessions.profile_path** - The home directory for the logon session. | | -| **profile_private** | **windows_firewall_rules.profile_private** - 1 if the rule profile type is private | keyword, number.long | -| **profile_public** | **windows_firewall_rules.profile_public** - 1 if the rule profile type is public | keyword, number.long | -| **program** | **launchd.program** - Path to target program | keyword, text.text | -| **program_arguments** | **launchd.program_arguments** - Command line arguments passed to program | keyword, text.text | -| **propagation** | **docker_container_mounts.propagation** - Mount propagation | keyword, text.text | -| **protected** | **app_schemes.protected** - 1 if this handler is protected (reserved) by OS X, else 0 | keyword, number.long | -| **protection_disabled** | **carbon_black_info.protection_disabled** - If the sensor is configured to report tamper events | keyword, number.long | -| **protection_status** | **bitlocker_info.protection_status** - The bitlocker protection status of the drive. | keyword, number.long | -| **protection_type** | **processes.protection_type** - The protection type of the process | keyword, text.text | -| **protocol** | **bpf_socket_events.protocol** - The network protocol ID | keyword | -| | **etc_services.protocol** - Transport protocol (TCP/UDP) | | -| | **iptables.protocol** - Protocol number identification. | | -| | **listening_ports.protocol** - Transport protocol (TCP/UDP) | | -| | **process_open_sockets.protocol** - Transport protocol (TCP/UDP) | | -| | **socket_events.protocol** - The network protocol ID | | -| | **usb_devices.protocol** - USB Device protocol | | -| | **windows_firewall_rules.protocol** - IP protocol of the rule | | -| **provider** | **drivers.provider** - Driver provider | keyword, text.text | -| **provider_guid** | **windows_eventlog.provider_guid** - Provider guid of the event | keyword, text.text | -| | **windows_events.provider_guid** - Provider guid of the event | | -| **provider_name** | **windows_eventlog.provider_name** - Provider name of the event | keyword, text.text | -| | **windows_events.provider_name** - Provider name of the event | | -| **pseudo** | **process_memory_map.pseudo** - 1 If path is a pseudo path, else 0 | keyword, number.long | -| **psize** | **elf_segments.psize** - Size of segment in file | keyword, number.long | -| **public** | **lxd_images.public** - Whether image is public (1) or not (0) | keyword, number.long | -| **publisher** | **azure_instance_metadata.publisher** - Publisher of the VM image | keyword, text.text | -| | **osquery_events.publisher** - Name of the associated publisher | | -| | **programs.publisher** - Name of the product supplier. | | -| **purgeable** | **virtual_memory_info.purgeable** - Total number of purgeable pages. | keyword, number.long | -| **purged** | **virtual_memory_info.purged** - Total number of purged pages. | keyword, number.long | -| **pvid** | **lldp_neighbors.pvid** - Primary VLAN id | keyword, text.text | -| **query** | **mdfind.query** - The query that was run to find the file | keyword, text.text | -| | **osquery_schedule.query** - The exact query to run | | -| | **wmi_event_filters.query** - Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification. | | -| **query_language** | **wmi_event_filters.query_language** - Query language that the query is written in. | keyword, text.text | -| **queue_directories** | **launchd.queue_directories** - Similar to watch_paths but only with non-empty directories | keyword, text.text | -| **raid_disks** | **md_devices.raid_disks** - Number of configured RAID disks in array | keyword, number.long | -| **raid_level** | **md_devices.raid_level** - Current raid level of the array | keyword, number.long | -| **rapl_energy_status** | **msr.rapl_energy_status** - Run Time Average Power Limiting energy status. | keyword, number.long | -| **rapl_power_limit** | **msr.rapl_power_limit** - Run Time Average Power Limiting power limit. | keyword, number.long | -| **rapl_power_units** | **msr.rapl_power_units** - Run Time Average Power Limiting power units. | keyword, number.long | -| **reactivated** | **virtual_memory_info.reactivated** - Total number of reactivated pages. | keyword, number.long | -| **read** | **docker_container_stats.read** - UNIX time when stats were read | keyword, number.long | -| **read_device_identity_failure** | **smart_drive_info.read_device_identity_failure** - Error string for device id read, if any | keyword, text.text | -| **readonly** | **nfs_shares.readonly** - 1 if the share is exported readonly else 0 | keyword, number.long | -| **readonly_rootfs** | **docker_containers.readonly_rootfs** - Is the root filesystem mounted as read only | keyword, number.long | -| **record_timestamp** | **ntfs_journal_events.record_timestamp** - Journal record timestamp | keyword, text.text | -| **record_usn** | **ntfs_journal_events.record_usn** - The update sequence number that identifies the journal record | keyword, text.text | -| **recovery_finish** | **md_devices.recovery_finish** - Estimated duration of recovery activity | keyword, text.text | -| **recovery_progress** | **md_devices.recovery_progress** - Progress of the recovery activity | keyword, text.text | -| **recovery_speed** | **md_devices.recovery_speed** - Speed of recovery activity | keyword, text.text | -| **redirect_accept** | **interface_ipv6.redirect_accept** - Accept ICMP redirect messages | keyword, number.long | -| **ref_pid** | **asl.ref_pid** - Reference PID for messages proxied by launchd | keyword, number.long | -| **ref_proc** | **asl.ref_proc** - Reference process for messages proxied by launchd | keyword, text.text | -| **referenced** | **chrome_extension_content_scripts.referenced** - 1 if this extension is referenced by the Preferences file of the profile | keyword, number.long | -| | **chrome_extensions.referenced** - 1 if this extension is referenced by the Preferences file of the profile | | -| **referenced_identifier** | **chrome_extensions.referenced_identifier** - Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile. | keyword, text.text | -| **refreshes** | **osquery_events.refreshes** - Publisher only: number of runloop restarts | keyword, number.long | -| **refs** | **fbsd_kmods.refs** - Module reverse dependencies | keyword, number.long | -| | **kernel_extensions.refs** - Reference count | | -| **region** | **ec2_instance_metadata.region** - AWS region in which this instance launched | keyword, text.text | -| **registers** | **crashes.registers** - The value of the system registers | keyword, text.text | -| | **kernel_panics.registers** - A space delimited line of register:value pairs | | -| | **windows_crashes.registers** - The values of the system registers | | -| **registry** | **osquery_registry.registry** - Name of the osquery registry | keyword, text.text | -| **registry_hive** | **logged_in_users.registry_hive** - HKEY_USERS registry hive | keyword, text.text | -| **registry_path** | **ie_extensions.registry_path** - Extension identifier | keyword, text.text | -| **relative_path** | **shortcut_files.relative_path** - Relative path to target file from lnk file. | keyword, text.text | -| | **wmi_cli_event_consumers.relative_path** - Relative path to the class or instance. | | -| | **wmi_event_filters.relative_path** - Relative path to the class or instance. | | -| | **wmi_filter_consumer_binding.relative_path** - Relative path to the class or instance. | | -| | **wmi_script_event_consumers.relative_path** - Relative path to the class or instance. | | -| **release** | **apt_sources.release** - Release name | keyword, text.text | -| | **lxd_images.release** - OS release version on which the image is based | | -| | **rpm_packages.release** - Package release | | -| **remediation_path** | **windows_security_products.remediation_path** - Remediation path | keyword, text.text | -| **remote_address** | **bpf_socket_events.remote_address** - Remote address associated with socket | keyword, text.text | -| | **process_open_sockets.remote_address** - Socket remote address | | -| | **socket_events.remote_address** - Remote address associated with socket | | -| **remote_addresses** | **windows_firewall_rules.remote_addresses** - Remote addresses for the rule | keyword, text.text | -| **remote_apple_events** | **sharing_preferences.remote_apple_events** - 1 If remote apple events are enabled else 0 | keyword, number.long | -| **remote_login** | **sharing_preferences.remote_login** - 1 If remote login is enabled else 0 | keyword, number.long | -| **remote_management** | **sharing_preferences.remote_management** - 1 If remote management is enabled else 0 | keyword, number.long | -| **remote_port** | **bpf_socket_events.remote_port** - Remote network protocol port number | keyword, number.long | -| | **process_open_sockets.remote_port** - Socket remote port | | -| | **socket_events.remote_port** - Remote network protocol port number | | -| **remote_ports** | **windows_firewall_rules.remote_ports** - Remote ports for the rule | keyword, text.text | -| **removable** | **usb_devices.removable** - 1 If USB device is removable else 0 | keyword, number.long | -| **repository** | **portage_packages.repository** - From which repository the ebuild was used | keyword, text.text | -| **request_id** | **carves.request_id** - Identifying value of the carve request (e.g., scheduled query name, distributed request, etc) | keyword, text.text | -| **requested_mask** | **apparmor_events.requested_mask** - Requested access mask | keyword, text.text | -| **requirement** | **gatekeeper_approved_apps.requirement** - Code signing requirement language | keyword, text.text | -| **reservation_id** | **ec2_instance_metadata.reservation_id** - ID of the reservation | keyword, text.text | -| **reshape_finish** | **md_devices.reshape_finish** - Estimated duration of reshape activity | keyword, text.text | -| **reshape_progress** | **md_devices.reshape_progress** - Progress of the reshape activity | keyword, text.text | -| **reshape_speed** | **md_devices.reshape_speed** - Speed of reshape activity | keyword, text.text | -| **resident_size** | **docker_container_processes.resident_size** - Bytes of private memory used by process | keyword, number.long | -| | **processes.resident_size** - Bytes of private memory used by process | | -| **resource_group_name** | **azure_instance_metadata.resource_group_name** - Resource group for the VM | keyword, text.text | -| **response_code** | **curl.response_code** - The HTTP status code for the response | keyword, number.long | -| **responsible** | **crashes.responsible** - Process responsible for the crashed process | keyword, text.text | -| **result** | **authenticode.result** - The signature check result | keyword, text.text | -| | **curl.result** - The HTTP response body | | -| **resync_finish** | **md_devices.resync_finish** - Estimated duration of resync activity | keyword, text.text | -| **resync_progress** | **md_devices.resync_progress** - Progress of the resync activity | keyword, text.text | -| **resync_speed** | **md_devices.resync_speed** - Speed of resync activity | keyword, text.text | -| **retain_count** | **iokit_devicetree.retain_count** - The device reference count | keyword, number.long | -| | **iokit_registry.retain_count** - The node reference count | | -| **revision** | **deb_packages.revision** - Package revision | keyword, text.text | -| | **hardware_events.revision** - Device revision (optional) | | -| | **platform_info.revision** - BIOS major and minor revision | | -| **rid** | **lldp_neighbors.rid** - Neighbor chassis index | keyword, number.long | -| **roaming** | **wifi_networks.roaming** - 1 if roaming is supported, 0 otherwise | keyword, number.long | -| **roaming_profile** | **wifi_networks.roaming_profile** - Describe the roaming profile, usually one of Single, Dual or Multi | keyword, text.text | -| **root** | **processes.root** - Process virtual root directory | keyword, text.text | -| **root_dir** | **docker_info.root_dir** - Docker root directory | keyword, text.text | -| **root_directory** | **launchd.root_directory** - Key used to specify a directory to chroot to before launch | keyword, text.text | -| **root_volume_uuid** | **time_machine_destinations.root_volume_uuid** - Root UUID of backup volume | keyword, text.text | -| **rotation_rate** | **smart_drive_info.rotation_rate** - Drive RPM | keyword, text.text | -| **round_trip_time** | **curl.round_trip_time** - Time taken to complete the request | keyword, number.long | -| **rowid** | **quicklook_cache.rowid** - Quicklook file rowid key | keyword, number.long | -| **rssi** | **wifi_status.rssi** - The current received signal strength indication (dbm) | keyword, number.long | -| | **wifi_survey.rssi** - The current received signal strength indication (dbm) | | -| **rtadv_accept** | **interface_ipv6.rtadv_accept** - Accept ICMP Router Advertisement | keyword, number.long | -| **rule_details** | **sudoers.rule_details** - Rule definition | keyword, text.text | -| **run_at_load** | **launchd.run_at_load** - Should the program run on launch load | keyword, text.text | -| **run_count** | **prefetch.run_count** - Number of times the application has been run. | keyword, number.long | -| **rw** | **docker_container_mounts.rw** - 1 if read/write. 0 otherwise | keyword, number.long | -| **sata_version** | **smart_drive_info.sata_version** - SATA version, if any | keyword, text.text | -| **scheme** | **app_schemes.scheme** - Name of the scheme/protocol | keyword, text.text | -| **scope** | **selinux_settings.scope** - Where the key is located inside the SELinuxFS mount point. | keyword, text.text | -| **screen_sharing** | **sharing_preferences.screen_sharing** - 1 If screen sharing is enabled else 0 | keyword, number.long | -| **script** | **chrome_extension_content_scripts.script** - The content script used by the extension | keyword, text.text | -| **script_block_count** | **powershell_events.script_block_count** - The total number of script blocks for this script | keyword, number.long | -| **script_block_id** | **powershell_events.script_block_id** - The unique GUID of the powershell script to which this block belongs | keyword, text.text | -| **script_file_name** | **wmi_script_event_consumers.script_file_name** - Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property. | keyword, text.text | -| **script_name** | **powershell_events.script_name** - The name of the Powershell script | keyword, text.text | -| **script_path** | **powershell_events.script_path** - The path for the Powershell script | keyword, text.text | -| **script_text** | **powershell_events.script_text** - The text content of the Powershell script | keyword, text.text | -| | **wmi_script_event_consumers.script_text** - Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL. | | -| **scripting_engine** | **wmi_script_event_consumers.scripting_engine** - Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL. | keyword, text.text | -| **sdb_id** | **appcompat_shims.sdb_id** - Unique GUID of the SDB. | keyword, text.text | -| **sdk** | **browser_plugins.sdk** - Build SDK used to compile plugin | keyword, text.text | -| | **safari_extensions.sdk** - Bundle SDK used to compile extension | | -| **sdk_version** | **osquery_extensions.sdk_version** - osquery SDK version used to build the extension | keyword, text.text | -| **seconds** | **time.seconds** - Current seconds in UTC | keyword, number.long | -| | **uptime.seconds** - Seconds of uptime | | -| **section** | **deb_packages.section** - Package section | keyword, text.text | -| **sector_sizes** | **smart_drive_info.sector_sizes** - Bytes of drive sector sizes | keyword, text.text | -| **secure_boot** | **secureboot.secure_boot** - Whether secure boot is enabled | keyword, number.long | -| **secure_process** | **processes.secure_process** - Process is secure (IUM) yes=1, no=0 | keyword, number.long | -| **security_breach** | **chassis_info.security_breach** - The physical status of the chassis such as Breach Successful, Breach Attempted, etc. | keyword, text.text | -| **security_groups** | **ec2_instance_metadata.security_groups** - Comma separated list of security group names | keyword, text.text | -| **security_options** | **docker_containers.security_options** - List of container security options | keyword, text.text | -| **security_type** | **wifi_networks.security_type** - Type of security on this network | keyword, text.text | -| | **wifi_status.security_type** - Type of security on this network | | -| **self_signed** | **certificates.self_signed** - 1 if self-signed, else 0 | keyword, number.long | -| **sender** | **asl.sender** - Sender's identification string. Default is process name. | keyword, text.text | -| **sensor_backend_server** | **carbon_black_info.sensor_backend_server** - Carbon Black server | keyword, text.text | -| **sensor_id** | **carbon_black_info.sensor_id** - Sensor ID of the Carbon Black sensor | keyword, number.long | -| **sensor_ip_addr** | **carbon_black_info.sensor_ip_addr** - IP address of the sensor | keyword, text.text | -| **seq_num** | **es_process_events.seq_num** - Per event sequence number | keyword, number.long | -| **serial** | **certificates.serial** - Certificate serial number | keyword, text.text | -| | **chassis_info.serial** - The serial number of the chassis. | | -| | **disk_info.serial** - The serial number of the disk. | | -| | **hardware_events.serial** - Device serial (optional) | | -| | **usb_devices.serial** - USB Device serial connection | | -| **serial_number** | **authenticode.serial_number** - The certificate serial number | keyword, text.text | -| | **battery.serial_number** - The battery's unique serial number | | -| | **curl_certificate.serial_number** - Certificate serial number | | -| | **memory_devices.serial_number** - Serial number of memory device | | -| | **smart_drive_info.serial_number** - Device serial number | | -| **serial_port_enabled** | **ycloud_instance_metadata.serial_port_enabled** - Indicates if serial port is enabled for the VM | keyword, text.text | -| **series** | **video_info.series** - The series of the gpu. | keyword, text.text | -| **server_name** | **lxd_cluster.server_name** - Name of the LXD server node | keyword, text.text | -| | **lxd_cluster_members.server_name** - Name of the LXD server node | | -| **server_version** | **docker_info.server_version** - Server version | keyword, text.text | -| **service** | **drivers.service** - Driver service name, if one exists | keyword, text.text | -| | **interface_details.service** - The name of the service the network adapter uses. | | -| | **iokit_devicetree.service** - 1 if the device conforms to IOService else 0 | | -| **service_exit_code** | **services.service_exit_code** - The service-specific error code that the service returns when an error occurs while the service is starting or stopping | keyword, number.long | -| **service_key** | **drivers.service_key** - Driver service registry key | keyword, text.text | -| **service_name** | **windows_firewall_rules.service_name** - Service name property of the application | keyword, text.text | -| **service_type** | **services.service_type** - Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop) | keyword, text.text | -| **ses** | **seccomp_events.ses** - Session ID of the session from which the analyzed process was invoked | keyword, number.long | -| **session_id** | **logon_sessions.session_id** - The Terminal Services session identifier. | keyword, number.long | -| | **winbaseobj.session_id** - Terminal Services Session Id | | -| **session_owner** | **authorizations.session_owner** - Label top-level key | keyword, text.text | -| **set** | **memory_devices.set** - Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation. | keyword, number.long | -| **setup_mode** | **secureboot.setup_mode** - Whether setup mode is enabled | keyword, number.long | -| **severity** | **syslog_events.severity** - Syslog severity | keyword, number.long | -| **sgid** | **docker_container_processes.sgid** - Saved group ID | keyword | -| | **process_events.sgid** - Saved group ID at process start | | -| | **process_file_events.sgid** - Saved group ID of the process using the file | | -| | **processes.sgid** - Unsigned saved group ID | | -| **sha1** | **apparmor_profiles.sha1** - A unique hash that identifies this policy. | keyword, text.text | -| | **certificates.sha1** - SHA1 hash of the raw certificate contents | | -| | **device_hash.sha1** - SHA1 hash of provided inode data | | -| | **file_events.sha1** - The SHA1 of the file after change | | -| | **hash.sha1** - SHA1 hash of provided filesystem data | | -| | **rpm_packages.sha1** - SHA1 hash of the package contents | | -| **sha1_fingerprint** | **curl_certificate.sha1_fingerprint** - SHA1 fingerprint | keyword, text.text | -| **sha256** | **carves.sha256** - A SHA256 sum of the carved archive | keyword, text.text | -| | **device_hash.sha256** - SHA256 hash of provided inode data | | -| | **file_events.sha256** - The SHA256 of the file after change | | -| | **hash.sha256** - SHA256 hash of provided filesystem data | | -| | **rpm_package_files.sha256** - SHA256 file digest from RPM info DB | | -| **sha256_fingerprint** | **curl_certificate.sha256_fingerprint** - SHA-256 fingerprint | keyword, text.text | -| **shard** | **osquery_packs.shard** - Shard restriction limit, 1-100, 0 meaning no restriction | keyword, number.long | -| **share** | **nfs_shares.share** - Filesystem path to the share | keyword, text.text | -| **share_name** | **shortcut_files.share_name** - Share name of the target file. | keyword, text.text | -| **shared** | **authorizations.shared** - Label top-level key | keyword, text.text | -| **shell** | **users.shell** - User's configured default shell | keyword, text.text | -| **shell_only** | **osquery_flags.shell_only** - Is the flag shell only? | keyword, number.long | -| **shmid** | **shared_memory.shmid** - Shared memory segment ID | keyword, number.long | -| **sid** | **background_activities_moderator.sid** - User SID. | keyword, text.text | -| | **certificates.sid** - SID | | -| | **logged_in_users.sid** - The user's unique security identifier | | -| | **office_mru.sid** - User SID | | -| | **shellbags.sid** - User SID | | -| | **userassist.sid** - User SID. | | -| **sig** | **seccomp_events.sig** - Signal value sent to process by seccomp | keyword, number.long | -| **sig_group** | **yara.sig_group** - Signature group used | keyword, text.text | -| **sigfile** | **yara.sigfile** - Signature file used | keyword, text.text | -| **signature** | **curl_certificate.signature** - Signature | keyword, text.text | -| **signature_algorithm** | **curl_certificate.signature_algorithm** - Signature Algorithm | keyword, text.text | -| **signatures_up_to_date** | **windows_security_products.signatures_up_to_date** - 1 if product signatures are up to date, else 0 | keyword, number.long | -| **signed** | **drivers.signed** - Whether the driver is signed or not | keyword, number.long | -| | **signature.signed** - 1 If the file is signed else 0 | | -| **signing_algorithm** | **certificates.signing_algorithm** - Signing algorithm used | keyword, text.text | -| **signing_id** | **es_process_events.signing_id** - Signature identifier of the process | keyword, text.text | -| **sigrule** | **yara.sigrule** - Signature strings used | keyword, text.text | -| **sigurl** | **yara.sigurl** - Signature url | keyword, text.text | -| **size** | **acpi_tables.size** - Size of compiled table data | keyword | -| | **block_devices.size** - Block device size in blocks | | -| | **carves.size** - Size of the carved archive | | -| | **cups_jobs.size** - The size of the print job | | -| | **deb_packages.size** - Package size in bytes | | -| | **device_file.size** - Size of file in bytes | | -| | **disk_events.size** - Size of partition in bytes | | -| | **docker_image_history.size** - Size of instruction in bytes | | -| | **elf_sections.size** - Size of section | | -| | **elf_symbols.size** - Size of object | | -| | **example.size** - This is a signed SQLite bigint column | | -| | **fbsd_kmods.size** - Size of module content | | -| | **file.size** - Size of file in bytes | | -| | **file_events.size** - Size of file in bytes | | -| | **kernel_extensions.size** - Bytes of wired memory used by extension | | -| | **kernel_modules.size** - Size of module content | | -| | **logical_drives.size** - The total amount of space, in bytes, of the drive (-1 on failure). | | -| | **lxd_images.size** - Size of image in bytes | | -| | **lxd_storage_pools.size** - Size of the storage pool | | -| | **md_devices.size** - size of the array in blocks | | -| | **memory_devices.size** - Size of memory device in Megabyte | | -| | **package_bom.size** - Expected file size | | -| | **platform_info.size** - Size in bytes of firmware | | -| | **portage_packages.size** - The size of the package | | -| | **prefetch.size** - Application file size. | | -| | **quicklook_cache.size** - Parsed version size field | | -| | **rpm_package_files.size** - Expected file size in bytes from RPM info DB | | -| | **rpm_packages.size** - Package size in bytes | | -| | **shared_memory.size** - Size in bytes | | -| | **smbios_tables.size** - Table entry size in bytes | | -| | **smc_keys.size** - Reported size of data in bytes | | -| **size_bytes** | **docker_images.size_bytes** - Size of image in bytes | keyword, number.long | -| **sku** | **azure_instance_metadata.sku** - SKU for the VM image | keyword, text.text | -| | **chassis_info.sku** - The Stock Keeping Unit number if available. | | -| **slot** | **md_drives.slot** - Slot position of disk | keyword | -| | **portage_packages.slot** - The slot used by package | | -| **smart_enabled** | **smart_drive_info.smart_enabled** - SMART enabled status | keyword, text.text | -| **smart_supported** | **smart_drive_info.smart_supported** - SMART support status | keyword, text.text | -| **smbios_tag** | **chassis_info.smbios_tag** - The assigned asset tag number of the chassis. | keyword, text.text | -| **socket** | **listening_ports.socket** - Socket handle or inode number | keyword | -| | **process_open_sockets.socket** - Socket handle or inode number | | -| | **socket_events.socket** - The local path (UNIX domain socket only) | | -| **socket_designation** | **cpu_info.socket_designation** - The assigned socket on the board for the given CPU. | keyword, text.text | -| **soft_limit** | **ulimit_info.soft_limit** - Current limit value | keyword, text.text | -| **softirq** | **cpu_time.softirq** - Time spent servicing softirqs | keyword, number.long | -| **source** | **apt_sources.source** - Source file | keyword, text.text | -| | **autoexec.source** - Source table of the autoexec item | | -| | **deb_packages.source** - Package source | | -| | **docker_container_mounts.source** - Source path on host | | -| | **lxd_storage_pools.source** - Storage pool source | | -| | **package_install_history.source** - Install source: usually the installer process name | | -| | **routes.source** - Route source | | -| | **rpm_packages.source** - Source RPM package name (optional) | | -| | **shellbags.source** - Shellbags source Registry file | | -| | **startup_items.source** - Directory or plist containing startup item | | -| | **sudoers.source** - Source file containing the given rule | | -| | **windows_events.source** - Source or channel of the event | | -| **source_path** | **systemd_units.source_path** - Path to the (possibly generated) unit configuration file | keyword, text.text | -| **source_url** | **firefox_addons.source_url** - URL that installed the addon | keyword, text.text | -| **space_total** | **lxd_storage_pools.space_total** - Total available storage space in bytes for this storage pool | keyword, number.long | -| **space_used** | **lxd_storage_pools.space_used** - Storage space used in bytes | keyword, number.long | -| **spare_disks** | **md_devices.spare_disks** - Number of idle disks in array | keyword, number.long | -| **spec_version** | **tpm_info.spec_version** - Trusted Computing Group specification that the TPM supports | keyword, text.text | -| **speculative** | **virtual_memory_info.speculative** - Total number of speculative pages. | keyword, number.long | -| **speed** | **interface_details.speed** - Estimate of the current bandwidth in bits per second. | keyword, number.long | -| **src_ip** | **iptables.src_ip** - Source IP address. | keyword, text.text | -| **src_mask** | **iptables.src_mask** - Source IP address mask. | keyword, text.text | -| **src_port** | **iptables.src_port** - Protocol source port(s). | keyword, text.text | -| **ssdeep** | **hash.ssdeep** - ssdeep hash of provided filesystem data | keyword, text.text | -| **ssh_config_file** | **ssh_configs.ssh_config_file** - Path to the ssh_config file | keyword, text.text | -| **ssh_public_key** | **ec2_instance_metadata.ssh_public_key** - SSH public key. Only available if supplied at instance launch time | keyword, text.text | -| | **ycloud_instance_metadata.ssh_public_key** - SSH public key. Only available if supplied at instance launch time | | -| **ssid** | **wifi_networks.ssid** - SSID octets of the network | keyword, text.text | -| | **wifi_status.ssid** - SSID octets of the network | | -| | **wifi_survey.ssid** - SSID octets of the network | | -| **stack_trace** | **crashes.stack_trace** - Most recent frame from the stack trace | keyword, text.text | -| | **windows_crashes.stack_trace** - Multiple stack frames from the stack trace | | -| **start** | **memory_map.start** - Start address of memory region | keyword, text.text | -| | **process_memory_map.start** - Virtual start address (hex) | | -| **start_interval** | **launchd.start_interval** - Frequency to run in seconds | keyword, text.text | -| **start_on_mount** | **launchd.start_on_mount** - Run daemon or agent every time a filesystem is mounted | keyword, text.text | -| **start_time** | **docker_container_processes.start_time** - Process start in seconds since boot (non-sleeping) | keyword, number.long | -| | **osquery_info.start_time** - UNIX time in seconds when the process started | | -| | **processes.start_time** - Process start time in seconds since Epoch, in case of error -1 | | -| **start_type** | **services.start_type** - Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED | keyword, text.text | -| **started_at** | **docker_containers.started_at** - Container start time as string | keyword, text.text | -| **starting_address** | **memory_array_mapped_addresses.starting_address** - Physical stating address, in kilobytes, of a range of memory mapped to physical memory array | keyword, text.text | -| | **memory_device_mapped_addresses.starting_address** - Physical stating address, in kilobytes, of a range of memory mapped to physical memory array | | -| **state** | **alf_exceptions.state** - Firewall exception state | keyword | -| | **battery.state** - One of the following: "AC Power" indicates the battery is connected to an external power source, "Battery Power" indicates that the battery is drawing internal power, "Off Line" indicates the battery is off-line or no longer connected | | -| | **chrome_extensions.state** - 1 if this extension is enabled | | -| | **docker_container_processes.state** - Process state | | -| | **docker_containers.state** - Container state (created, restarting, running, removing, paused, exited, dead) | | -| | **lxd_networks.state** - Network status | | -| | **md_drives.state** - State of the drive | | -| | **process_open_sockets.state** - TCP socket state | | -| | **processes.state** - Process state | | -| | **scheduled_tasks.state** - State of the scheduled task | | -| | **system_extensions.state** - System extension state | | -| | **windows_optional_features.state** - Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent | | -| | **windows_security_products.state** - State of protection | | -| **state_timestamp** | **windows_security_products.state_timestamp** - Timestamp for the product state | keyword, text.text | -| **stateful** | **lxd_instances.stateful** - Whether the instance is stateful(1) or not(0) | keyword, number.long | -| **statename** | **windows_optional_features.statename** - Installation state name. 'Enabled','Disabled','Absent' | keyword, text.text | -| **status** | **carves.status** - Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED | keyword, text.text | -| | **chassis_info.status** - If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail. | | -| | **deb_packages.status** - Package status | | -| | **docker_containers.status** - Container status information | | -| | **kernel_modules.status** - Kernel module status | | -| | **lxd_cluster_members.status** - Status of the node (Online/Offline) | | -| | **lxd_instances.status** - Instance state (running, stopped, etc.) | | -| | **md_devices.status** - Current state of the array | | -| | **ntdomains.status** - The current status of the domain object. | | -| | **process_events.status** - OpenBSM Attribute: Status of the process | | -| | **services.status** - Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED | | -| | **shared_memory.status** - Destination/attach status | | -| | **shared_resources.status** - String that indicates the current status of the object. | | -| | **socket_events.status** - Either 'succeeded', 'failed', 'in_progress' (connect() on non-blocking socket) or 'no_client' (null accept() on non-blocking socket) | | -| | **startup_items.status** - Startup status; either enabled or disabled | | -| **stderr_path** | **launchd.stderr_path** - Pipe stderr to a target path | keyword, text.text | -| **stdout_path** | **launchd.stdout_path** - Pipe stdout to a target path | keyword, text.text | -| **steal** | **cpu_time.steal** - Time spent in other operating systems when running in a virtualized environment | keyword, number.long | -| **stealth_enabled** | **alf.stealth_enabled** - 1 If stealth mode is enabled else 0 | keyword, number.long | -| **stibp_support_enabled** | **kva_speculative_info.stibp_support_enabled** - Windows uses STIBP. | keyword, number.long | -| **storage_driver** | **docker_info.storage_driver** - Storage driver | keyword, text.text | -| **store** | **certificates.store** - Certificate system store | keyword, text.text | -| **store_id** | **certificates.store_id** - Exists for service/user stores. Contains raw store id provided by WinAPI. | keyword, text.text | -| **store_location** | **certificates.store_location** - Certificate system store location | keyword, text.text | -| **strings** | **yara.strings** - Matching strings | keyword, text.text | -| | **yara_events.strings** - Matching strings | | -| **sub_state** | **systemd_units.sub_state** - The low-level unit activation state, values depend on unit type | keyword, text.text | -| **subclass** | **usb_devices.subclass** - USB Device subclass | keyword, text.text | -| **subject** | **certificates.subject** - Certificate distinguished name | keyword, text.text | -| **subject_alternative_names** | **curl_certificate.subject_alternative_names** - Subject Alternative Name | keyword, text.text | -| **subject_info_access** | **curl_certificate.subject_info_access** - Subject Information Access | keyword, text.text | -| **subject_key_id** | **certificates.subject_key_id** - SKID an optionally included SHA1 | keyword, text.text | -| **subject_key_identifier** | **curl_certificate.subject_key_identifier** - Subject Key Identifier | keyword, text.text | -| **subject_name** | **authenticode.subject_name** - The certificate subject name | keyword, text.text | -| **subkey** | **plist.subkey** - Intermediate key path, includes lists/dicts | keyword, text.text | -| | **preferences.subkey** - Intemediate key path, includes lists/dicts | | -| **subnet** | **docker_networks.subnet** - Network subnet | keyword, text.text | -| **subscription_id** | **azure_instance_metadata.subscription_id** - Azure subscription for the VM | keyword, text.text | -| **subscriptions** | **osquery_events.subscriptions** - Number of subscriptions the publisher received or subscriber used | keyword, number.long | -| **subsystem** | **system_controls.subsystem** - Subsystem ID, control type | keyword, text.text | -| **subsystem_model** | **pci_devices.subsystem_model** - Device description of PCI device subsystem | keyword, text.text | -| **subsystem_model_id** | **pci_devices.subsystem_model_id** - Model ID of PCI device subsystem | keyword, text.text | -| **subsystem_vendor** | **pci_devices.subsystem_vendor** - Vendor of PCI device subsystem | keyword, text.text | -| **subsystem_vendor_id** | **pci_devices.subsystem_vendor_id** - Vendor ID of PCI device subsystem | keyword, text.text | -| **success** | **socket_events.success** - Deprecated. Use the 'status' column instead | keyword, number.long | -| **suid** | **docker_container_processes.suid** - Saved user ID | keyword | -| | **process_events.suid** - Saved user ID at process start | | -| | **process_file_events.suid** - Saved user ID of the process using the file | | -| | **processes.suid** - Unsigned saved user ID | | -| **summary** | **chocolatey_packages.summary** - Package-supplied summary | keyword, text.text | -| | **python_packages.summary** - Package-supplied summary | | -| **superblock_state** | **md_devices.superblock_state** - State of the superblock | keyword, text.text | -| **superblock_update_time** | **md_devices.superblock_update_time** - Unix timestamp of last update | keyword, number.long | -| **superblock_version** | **md_devices.superblock_version** - Version of the superblock | keyword, text.text | -| **swap_cached** | **memory_info.swap_cached** - The amount of swap, in bytes, used as cache memory | keyword, number.long | -| **swap_free** | **memory_info.swap_free** - The total amount of swap free, in bytes | keyword, number.long | -| **swap_ins** | **virtual_memory_info.swap_ins** - The total number of compressed pages that have been swapped out to disk. | keyword, number.long | -| **swap_limit** | **docker_info.swap_limit** - 1 if swap limit support is enabled. 0 otherwise | keyword, number.long | -| **swap_outs** | **virtual_memory_info.swap_outs** - The total number of compressed pages that have been swapped back in from disk. | keyword, number.long | -| **swap_total** | **memory_info.swap_total** - The total amount of swap available, in bytes | keyword, number.long | -| **symlink** | **file.symlink** - 1 if the path is a symlink, otherwise 0 | keyword, number.long | -| **syscall** | **bpf_process_events.syscall** - System call name | keyword, text.text | -| | **bpf_socket_events.syscall** - System call name | | -| | **process_events.syscall** - Syscall name: fork, vfork, clone, execve, execveat | | -| | **seccomp_events.syscall** - Type of the system call | | -| **system** | **cpu_time.system** - Time spent in system mode | keyword, number.long | -| **system_cpu_usage** | **docker_container_stats.system_cpu_usage** - CPU system usage | keyword, number.long | -| **system_model** | **kernel_panics.system_model** - Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)' | keyword, text.text | -| **system_time** | **osquery_schedule.system_time** - Total system time in milliseconds spent executing | keyword, number.long | -| | **processes.system_time** - CPU time in milliseconds spent in kernel space | | -| **table** | **elf_symbols.table** - Table name containing symbol | keyword, text.text | -| **tag** | **elf_dynamic.tag** - Tag ID | keyword | -| | **syslog_events.tag** - The syslog tag | | -| **tags** | **docker_image_history.tags** - Comma-separated list of tags | keyword, text.text | -| | **docker_images.tags** - Comma-separated list of repository tags | | -| | **yara.tags** - Matching tags | | -| | **yara_events.tags** - Matching tags | | -| **tapping_process** | **event_taps.tapping_process** - The process ID of the application that created the event tap. | keyword, number.long | -| **target** | **fan_speed_sensors.target** - Target speed | keyword | -| | **iptables.target** - Target that applies for this rule. | | -| **target_accessed** | **shortcut_files.target_accessed** - Target Accessed time. | keyword, number.long | -| **target_created** | **shortcut_files.target_created** - Target Created time. | keyword, number.long | -| **target_modified** | **shortcut_files.target_modified** - Target Modified time. | keyword, number.long | -| **target_name** | **prometheus_metrics.target_name** - Address of prometheus target | keyword, text.text | -| **target_path** | **file_events.target_path** - The path associated with the event | keyword, text.text | -| | **shortcut_files.target_path** - Target file path | | -| | **yara_events.target_path** - The path scanned | | -| **target_size** | **shortcut_files.target_size** - Size of target file. | keyword, number.long | -| **task** | **windows_eventlog.task** - Task value associated with the event | keyword, number.long | -| | **windows_events.task** - Task value associated with the event | | -| **team** | **system_extensions.team** - Signing team ID | keyword, text.text | -| **team_id** | **es_process_events.team_id** - Team identifier of thd process | keyword, text.text | -| **team_identifier** | **signature.team_identifier** - The team signing identifier sealed into the signature | keyword, text.text | -| **temporarily_disabled** | **wifi_networks.temporarily_disabled** - 1 if this network is temporarily disabled, 0 otherwise | keyword, number.long | -| **terminal** | **user_events.terminal** - The network protocol ID | keyword, text.text | -| **threads** | **docker_container_processes.threads** - Number of threads used by process | keyword, number.long | -| | **processes.threads** - Number of threads used by process | | -| **throttled** | **virtual_memory_info.throttled** - Total number of throttled pages. | keyword, number.long | -| **tid** | **bpf_process_events.tid** - Thread ID | keyword, number.long | -| | **bpf_socket_events.tid** - Thread ID | | -| | **windows_crashes.tid** - Thread ID of the crashed thread | | -| | **windows_eventlog.tid** - Thread ID which emitted the event record | | -| **time** | **apparmor_events.time** - Time of execution in UNIX time | keyword | -| | **asl.time** - Unix timestamp. Set automatically | | -| | **bpf_process_events.time** - Time of execution in UNIX time | | -| | **bpf_socket_events.time** - Time of execution in UNIX time | | -| | **carves.time** - Time at which the carve was kicked off | | -| | **disk_events.time** - Time of appearance/disappearance in UNIX time | | -| | **docker_container_processes.time** - Cumulative CPU time. [DD-]HH:MM:SS format | | -| | **es_process_events.time** - Time of execution in UNIX time | | -| | **file_events.time** - Time of file event | | -| | **hardware_events.time** - Time of hardware event | | -| | **kernel_panics.time** - Formatted time of the event | | -| | **last.time** - Entry timestamp | | -| | **logged_in_users.time** - Time entry was made | | -| | **ntfs_journal_events.time** - Time of file event | | -| | **package_install_history.time** - Label date as UNIX timestamp | | -| | **powershell_events.time** - Timestamp the event was received by the osquery event publisher | | -| | **process_events.time** - Time of execution in UNIX time | | -| | **process_file_events.time** - Time of execution in UNIX time | | -| | **seccomp_events.time** - Time of execution in UNIX time | | -| | **selinux_events.time** - Time of execution in UNIX time | | -| | **shell_history.time** - Entry timestamp. It could be absent, default value is 0. | | -| | **socket_events.time** - Time of execution in UNIX time | | -| | **syslog_events.time** - Current unix epoch time | | -| | **user_events.time** - Time of execution in UNIX time | | -| | **user_interaction_events.time** - Time | | -| | **windows_events.time** - Timestamp the event was received | | -| | **xprotect_reports.time** - Quarantine alert time | | -| | **yara_events.time** - Time of the scan | | -| **time_nano_sec** | **asl.time_nano_sec** - Nanosecond time. | keyword, number.long | -| **time_range** | **windows_eventlog.time_range** - System time to selectively filter the events | keyword, text.text | -| **timeout** | **authorizations.timeout** - Label top-level key | keyword, text.text | -| | **curl_certificate.timeout** - Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout) | | -| **timestamp** | **time.timestamp** - Current timestamp (log format) in UTC | keyword, text.text | -| | **windows_eventlog.timestamp** - Timestamp to selectively filter the events | | -| **timestamp_ms** | **prometheus_metrics.timestamp_ms** - Unix timestamp of collected data in MS | keyword, number.long | -| **timezone** | **time.timezone** - Timezone for reported time (hardcoded to UTC) | keyword, text.text | -| **title** | **cups_jobs.title** - Title of the printed job | keyword, text.text | -| **total_seconds** | **uptime.total_seconds** - Total uptime seconds | keyword, number.long | -| **total_size** | **docker_container_processes.total_size** - Total virtual memory size | keyword, number.long | -| | **processes.total_size** - Total virtual memory size | | -| **total_width** | **memory_devices.total_width** - Total width, in bits, of this memory device, including any check or error-correction bits | keyword, number.long | -| **transaction_id** | **file_events.transaction_id** - ID used during bulk update | keyword, number.long | -| | **yara_events.transaction_id** - ID used during bulk update | | -| **transmit_rate** | **wifi_status.transmit_rate** - The current transmit rate | keyword, text.text | -| **transport_type** | **smart_drive_info.transport_type** - Drive transport type | keyword, text.text | -| **tries** | **authorizations.tries** - Label top-level key | keyword, text.text | -| **tty** | **last.tty** - Entry terminal | keyword, text.text | -| | **logged_in_users.tty** - Device name | | -| **turbo_disabled** | **msr.turbo_disabled** - Whether the turbo feature is disabled. | keyword, number.long | -| **turbo_ratio_limit** | **msr.turbo_ratio_limit** - The turbo feature ratio limit. | keyword, number.long | -| **type** | **apparmor_events.type** - Event type | keyword, text.text | -| | **appcompat_shims.type** - Type of the SDB database. | | -| | **block_devices.type** - Block device type string | | -| | **bpf_socket_events.type** - The socket type | | -| | **crashes.type** - Type of crash log | | -| | **device_file.type** - File status | | -| | **device_firmware.type** - Type of device | | -| | **device_partitions.type** - | | -| | **disk_encryption.type** - Description of cipher type and mode if available | | -| | **disk_info.type** - The interface type of the disk. | | -| | **dns_cache.type** - DNS record type | | -| | **dns_resolvers.type** - Address type: sortlist, nameserver, search | | -| | **docker_container_mounts.type** - Type of mount (bind, volume) | | -| | **docker_container_ports.type** - Protocol (tcp, udp) | | -| | **docker_volumes.type** - Volume type | | -| | **elf_info.type** - Offset of section in file | | -| | **elf_sections.type** - Section type | | -| | **elf_symbols.type** - Symbol type | | -| | **file.type** - File status | | -| | **firefox_addons.type** - Extension, addon, webapp | | -| | **hardware_events.type** - Type of hardware and hardware event | | -| | **interface_addresses.type** - Type of address. One of dhcp, manual, auto, other, unknown | | -| | **interface_details.type** - Interface type (includes virtual) | | -| | **keychain_items.type** - Keychain item type (class) | | -| | **last.type** - Entry type, according to ut_type types (utmp.h) | | -| | **logged_in_users.type** - Login type | | -| | **logical_drives.type** - Deprecated (always 'Unknown'). | | -| | **lxd_certificates.type** - Type of the certificate | | -| | **lxd_networks.type** - Type of network | | -| | **mounts.type** - Mounted device type | | -| | **ntfs_acl_permissions.type** - Type of access mode for the access control entry. | | -| | **nvram.type** - Data type (CFData, CFString, etc) | | -| | **osquery_events.type** - Either publisher or subscriber | | -| | **osquery_extensions.type** - SDK extension type: extension or module | | -| | **osquery_flags.type** - Flag type | | -| | **process_open_pipes.type** - Pipe Type: named vs unnamed/anonymous | | -| | **registry.type** - Type of the registry value, or 'subkey' if item is a subkey | | -| | **routes.type** - Type of route | | -| | **selinux_events.type** - Event type | | -| | **shared_resources.type** - Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices. | | -| | **smbios_tables.type** - Table entry type | | -| | **smc_keys.type** - SMC-reported type literal type | | -| | **startup_items.type** - Startup Item or Login Item | | -| | **system_controls.type** - Data type | | -| | **ulimit_info.type** - System resource to be limited | | -| | **user_events.type** - The file description for the process socket | | -| | **users.type** - Whether the account is roaming (domain), local, or a system profile | | -| | **windows_crashes.type** - Type of crash log | | -| | **windows_security_products.type** - Type of security product | | -| | **xprotect_meta.type** - Either plugin or extension | | -| **type_name** | **last.type_name** - Entry type name, according to ut_type types (utmp.h) | keyword, text.text | -| **uid** | **account_policy_data.uid** - User ID | keyword | -| | **asl.uid** - UID that sent the log message (set by the server). | | -| | **atom_packages.uid** - The local user that owns the plugin | | -| | **authorized_keys.uid** - The local owner of authorized_keys file | | -| | **bpf_process_events.uid** - User ID | | -| | **bpf_socket_events.uid** - User ID | | -| | **browser_plugins.uid** - The local user that owns the plugin | | -| | **chrome_extension_content_scripts.uid** - The local user that owns the extension | | -| | **chrome_extensions.uid** - The local user that owns the extension | | -| | **crashes.uid** - User ID of the crashed process | | -| | **device_file.uid** - Owning user ID | | -| | **disk_encryption.uid** - Currently authenticated user if available | | -| | **docker_container_processes.uid** - User ID | | -| | **es_process_events.uid** - User ID of the process | | -| | **file.uid** - Owning user ID | | -| | **file_events.uid** - Owning user ID | | -| | **firefox_addons.uid** - The local user that owns the addon | | -| | **known_hosts.uid** - The local user that owns the known_hosts file | | -| | **launchd_overrides.uid** - User ID applied to the override, 0 applies to all | | -| | **package_bom.uid** - Expected user of file or directory | | -| | **process_events.uid** - User ID at process start | | -| | **process_file_events.uid** - The uid of the process performing the action | | -| | **processes.uid** - Unsigned user ID | | -| | **safari_extensions.uid** - The local user that owns the extension | | -| | **seccomp_events.uid** - User ID of the user who started the analyzed process | | -| | **shell_history.uid** - Shell history owner | | -| | **ssh_configs.uid** - The local owner of the ssh_config file | | -| | **user_events.uid** - User ID | | -| | **user_groups.uid** - User ID | | -| | **user_ssh_keys.uid** - The local user that owns the key file | | -| | **users.uid** - User ID | | -| **uid_signed** | **users.uid_signed** - User ID as int64 signed (Apple) | keyword, number.long | -| **umci_policy_status** | **hvci_status.umci_policy_status** - The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered. | keyword, text.text | -| **uncompressed** | **virtual_memory_info.uncompressed** - Total number of uncompressed pages. | keyword, number.long | -| **uninstall_string** | **programs.uninstall_string** - Path and filename of the uninstaller. | keyword, text.text | -| **unique_chip_id** | **ibridge_info.unique_chip_id** - Unique id of the iBridge controller | keyword, text.text | -| **unix_time** | **time.unix_time** - Current UNIX time in UTC | keyword, number.long | -| **unmask** | **portage_keywords.unmask** - If the package is unmasked | keyword, number.long | -| **unused_devices** | **md_devices.unused_devices** - Unused devices | keyword, text.text | -| **update_source_alias** | **lxd_images.update_source_alias** - Alias of image at update source server | keyword, text.text | -| **update_source_certificate** | **lxd_images.update_source_certificate** - Certificate for update source server | keyword, text.text | -| **update_source_protocol** | **lxd_images.update_source_protocol** - Protocol used for image information update and image import from source server | keyword, text.text | -| **update_source_server** | **lxd_images.update_source_server** - Server for image update | keyword, text.text | -| **update_url** | **chrome_extensions.update_url** - Extension-supplied update URI | keyword, text.text | -| | **safari_extensions.update_url** - Extension-supplied update URI | | -| **upid** | **processes.upid** - A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system. | keyword, number.long | -| **uploaded_at** | **lxd_images.uploaded_at** - ISO time of image upload | keyword, text.text | -| **upn** | **logon_sessions.upn** - The user principal name (UPN) for the owner of the logon session. | keyword, text.text | -| **uppid** | **processes.uppid** - The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system. | keyword, number.long | -| **uptime** | **apparmor_events.uptime** - Time of execution in system uptime | keyword, number.long | -| | **kernel_panics.uptime** - System uptime at kernel panic in nanoseconds | | -| | **process_events.uptime** - Time of execution in system uptime | | -| | **process_file_events.uptime** - Time of execution in system uptime | | -| | **seccomp_events.uptime** - Time of execution in system uptime | | -| | **selinux_events.uptime** - Time of execution in system uptime | | -| | **socket_events.uptime** - Time of execution in system uptime | | -| | **user_events.uptime** - Time of execution in system uptime | | -| **url** | **curl.url** - The url for the request | keyword, text.text | -| | **lxd_cluster_members.url** - URL of the node | | -| **usb_address** | **usb_devices.usb_address** - USB Device used address | keyword, number.long | -| **usb_port** | **usb_devices.usb_port** - USB Device used port | keyword, number.long | -| **use** | **memory_arrays.use** - Function for which the array is used | keyword, text.text | -| | **portage_use.use** - USE flag which has been enabled for package | | -| **used_by** | **kernel_modules.used_by** - Module reverse dependencies | keyword, text.text | -| | **lxd_networks.used_by** - URLs for containers using this network | | -| **user** | **cpu_time.user** - Time spent in user mode | keyword | -| | **cups_jobs.user** - The user who printed the job | | -| | **docker_container_processes.user** - User name | | -| | **logged_in_users.user** - User login name | | -| | **logon_sessions.user** - The account name of the security principal that owns the logon session. | | -| | **sandboxes.user** - Sandbox owner | | -| | **systemd_units.user** - The configured user, if any | | -| **user_account** | **services.user_account** - The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\UserName. If the account belongs to the built-in domain, the name can be of the form .\UserName. | keyword, text.text | -| **user_account_control** | **windows_security_center.user_account_control** - The health of the User Account Control (UAC) capability in Windows | keyword, text.text | -| **user_action** | **xprotect_reports.user_action** - Action taken by user after prompted | keyword, text.text | -| **user_agent** | **curl.user_agent** - The user-agent string to use for the request | keyword, text.text | -| **user_capacity** | **smart_drive_info.user_capacity** - Bytes of drive capacity | keyword, text.text | -| **user_namespace** | **docker_containers.user_namespace** - User namespace | keyword, text.text | -| | **process_namespaces.user_namespace** - user namespace inode | | -| **user_time** | **osquery_schedule.user_time** - Total user time in milliseconds spent executing | keyword, number.long | -| | **processes.user_time** - CPU time in milliseconds spent in user space | | -| **user_uuid** | **disk_encryption.user_uuid** - UUID of authenticated user if available | keyword, text.text | -| **username** | **certificates.username** - Username | keyword, text.text | -| | **es_process_events.username** - Username | | -| | **last.username** - Entry username | | -| | **launchd.username** - Run this daemon or agent as this username | | -| | **managed_policies.username** - Policy applies only this user | | -| | **preferences.username** - (optional) read preferences for a specific user | | -| | **rpm_package_files.username** - File default username from info DB | | -| | **shadow.username** - Username | | -| | **startup_items.username** - The user associated with the startup item | | -| | **suid_bin.username** - Binary owner username | | -| | **users.username** - Username | | -| | **windows_crashes.username** - Username of the user who ran the crashed process | | -| **uses_pattern** | **xprotect_entries.uses_pattern** - Uses a match pattern instead of identity | keyword, number.long | -| **uts_namespace** | **docker_containers.uts_namespace** - UTS namespace | keyword, text.text | -| | **process_namespaces.uts_namespace** - uts namespace inode | | -| **uuid** | **block_devices.uuid** - Block device Universally Unique Identifier | keyword, text.text | -| | **disk_encryption.uuid** - Disk Universally Unique Identifier | | -| | **disk_events.uuid** - UUID of the volume inside DMG if available | | -| | **managed_policies.uuid** - Optional UUID assigned to policy set | | -| | **osquery_extensions.uuid** - The transient ID assigned for communication | | -| | **osquery_info.uuid** - Unique ID provided by the system | | -| | **system_info.uuid** - Unique ID provided by the system | | -| | **users.uuid** - User's UUID (Apple) or SID (Windows) | | -| **vaddr** | **elf_sections.vaddr** - Section virtual address in memory | keyword, number.long | -| | **elf_segments.vaddr** - Segment virtual address in memory | | -| **valid_from** | **curl_certificate.valid_from** - Period of validity start date | keyword, text.text | -| **valid_to** | **curl_certificate.valid_to** - Period of validity end date | keyword, text.text | -| **value** | **ad_config.value** - Variable typed option value | keyword, text.text | -| | **augeas.value** - The value of the configuration item | | -| | **azure_instance_tags.value** - The tag value | | -| | **cpuid.value** - Bit value or string | | -| | **default_environment.value** - Value of the environment variable | | -| | **docker_container_envs.value** - Environment variable value | | -| | **docker_container_labels.value** - Optional label value | | -| | **docker_image_labels.value** - Optional label value | | -| | **docker_network_labels.value** - Optional label value | | -| | **docker_volume_labels.value** - Optional label value | | -| | **ec2_instance_tags.value** - Tag value | | -| | **elf_dynamic.value** - Tag value | | -| | **extended_attributes.value** - The parsed information from the attribute | | -| | **launchd_overrides.value** - Overridden value | | -| | **lxd_instance_config.value** - Configuration parameter value | | -| | **lxd_instance_devices.value** - Device info param value | | -| | **managed_policies.value** - Policy value | | -| | **mdls.value** - Value stored in the metadata key | | -| | **nvram.value** - Raw variable data | | -| | **oem_strings.value** - The value of the OEM string | | -| | **osquery_flags.value** - Flag value | | -| | **plist.value** - String value of most CF types | | -| | **power_sensors.value** - Power in Watts | | -| | **preferences.value** - String value of most CF types | | -| | **process_envs.value** - Environment variable value | | -| | **selinux_settings.value** - Active value. | | -| | **smc_keys.value** - A type-encoded representation of the key value | | -| | **wmi_bios_info.value** - Value of the Bios setting | | -| **valuetype** | **mdls.valuetype** - CoreFoundation type of data stored in value | keyword, text.text | -| **variable** | **default_environment.variable** - Name of the environment variable | keyword, text.text | -| **vbs_status** | **hvci_status.vbs_status** - The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered. | keyword, text.text | -| **vendor** | **block_devices.vendor** - Block device vendor string | keyword, text.text | -| | **disk_events.vendor** - Disk event vendor string | | -| | **hardware_events.vendor** - Hardware device vendor | | -| | **pci_devices.vendor** - PCI Device vendor | | -| | **platform_info.vendor** - Platform code vendor | | -| | **rpm_packages.vendor** - Package vendor | | -| | **usb_devices.vendor** - USB Device vendor string | | -| **vendor_id** | **hardware_events.vendor_id** - Hex encoded Hardware vendor identifier | keyword, text.text | -| | **pci_devices.vendor_id** - Hex encoded PCI Device vendor identifier | | -| | **usb_devices.vendor_id** - Hex encoded USB Device vendor identifier | | -| **vendor_syndrome** | **memory_error_info.vendor_syndrome** - Vendor specific ECC syndrome or CRC data associated with the erroneous access | keyword, text.text | -| **version** | **alf.version** - Application Layer Firewall version | keyword, text.text | -| | **apt_sources.version** - Repository source version | | -| | **atom_packages.version** - Package supplied version | | -| | **authorizations.version** - Label top-level key | | -| | **azure_instance_metadata.version** - Version of the VM image | | -| | **bitlocker_info.version** - The FVE metadata version of the drive. | | -| | **browser_plugins.version** - Plugin short version | | -| | **chocolatey_packages.version** - Package-supplied version | | -| | **chrome_extension_content_scripts.version** - Extension-supplied version | | -| | **chrome_extensions.version** - Extension-supplied version | | -| | **crashes.version** - Version info of the crashed process | | -| | **curl_certificate.version** - Version Number | | -| | **deb_packages.version** - Package version | | -| | **device_firmware.version** - Firmware version | | -| | **docker_version.version** - Docker version | | -| | **drivers.version** - Driver version | | -| | **elf_info.version** - Object file version | | -| | **es_process_events.version** - Version of EndpointSecurity event | | -| | **firefox_addons.version** - Addon-supplied version string | | -| | **gatekeeper.version** - Version of Gatekeeper's gke.bundle | | -| | **homebrew_packages.version** - Current 'linked' version | | -| | **hvci_status.version** - The version number of the Device Guard build. | | -| | **ie_extensions.version** - Version of the executable | | -| | **intel_me_info.version** - Intel ME version | | -| | **kernel_extensions.version** - Extension version | | -| | **kernel_info.version** - Kernel version | | -| | **npm_packages.version** - Package supplied version | | -| | **office_mru.version** - Office application version number | | -| | **os_version.version** - Pretty, suitable for presentation, OS version | | -| | **osquery_extensions.version** - Extension's version | | -| | **osquery_info.version** - osquery toolkit version | | -| | **osquery_packs.version** - Minimum osquery version that this query will run on | | -| | **package_install_history.version** - Package display version | | -| | **package_receipts.version** - Installed package version | | -| | **pkg_packages.version** - Package version | | -| | **platform_info.version** - Platform code version | | -| | **portage_keywords.version** - The version which are affected by the use flags, empty means all | | -| | **portage_packages.version** - The version which are affected by the use flags, empty means all | | -| | **portage_use.version** - The version of the installed package | | -| | **programs.version** - Product version information. | | -| | **python_packages.version** - Package-supplied version | | -| | **rpm_packages.version** - Package version | | -| | **safari_extensions.version** - Extension long version | | -| | **system_extensions.version** - System extension version | | -| | **usb_devices.version** - USB Device version number | | -| | **windows_crashes.version** - File version info of the crashed process | | -| **video_mode** | **video_info.video_mode** - The current resolution of the display. | keyword, text.text | -| **virtual_process** | **processes.virtual_process** - Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0 | keyword, number.long | -| **visible** | **firefox_addons.visible** - 1 If the addon is shown in browser else 0 | keyword, number.long | -| **visible_alarm** | **chassis_info.visible_alarm** - If TRUE, the frame is equipped with a visual alarm. | keyword, text.text | -| **vlans** | **lldp_neighbors.vlans** - Comma delimited list of vlan ids | keyword, text.text | -| **vm_id** | **azure_instance_metadata.vm_id** - Unique identifier for the VM | keyword, text.text | -| | **azure_instance_tags.vm_id** - Unique identifier for the VM | | -| **vm_scale_set_name** | **azure_instance_metadata.vm_scale_set_name** - VM scale set name | keyword, text.text | -| **vm_size** | **azure_instance_metadata.vm_size** - VM size | keyword, text.text | -| **voltage** | **battery.voltage** - The battery's current voltage in mV | keyword, number.long | -| **volume_creation** | **prefetch.volume_creation** - Volume creation time. | keyword, text.text | -| **volume_id** | **quicklook_cache.volume_id** - Parsed volume ID from fs_id | keyword, number.long | -| **volume_serial** | **file.volume_serial** - Volume serial number | keyword, text.text | -| | **prefetch.volume_serial** - Volume serial number. | | -| | **shortcut_files.volume_serial** - Volume serial number. | | -| **volume_size** | **platform_info.volume_size** - (Optional) size of firmware volume | keyword, number.long | -| **wall_time** | **osquery_schedule.wall_time** - Total wall time in seconds spent executing (deprecated), hidden=True | keyword, number.long | -| **wall_time_ms** | **osquery_schedule.wall_time_ms** - Total wall time in milliseconds spent executing | keyword, number.long | -| **warning** | **shadow.warning** - Number of days before password expires to warn user about it | keyword, number.long | -| **warnings** | **smart_drive_info.warnings** - Warning messages from SMART controller | keyword, text.text | -| **watch_paths** | **launchd.watch_paths** - Key that launches daemon or agent if path is modified | keyword, text.text | -| **watcher** | **osquery_info.watcher** - Process (or thread/handle) ID of optional watcher process | keyword, number.long | -| **weekday** | **time.weekday** - Current weekday in UTC | keyword, text.text | -| **win32_exit_code** | **services.win32_exit_code** - The error code that the service uses to report an error that occurs when it is starting or stopping | keyword, number.long | -| **win_timestamp** | **time.win_timestamp** - Timestamp value in 100 nanosecond units | keyword, number.long | -| **windows_security_center_service** | **windows_security_center.windows_security_center_service** - The health of the Windows Security Center Service | keyword, text.text | -| **wired** | **virtual_memory_info.wired** - Total number of wired down pages. | keyword, number.long | -| **wired_size** | **docker_container_processes.wired_size** - Bytes of unpageable memory used by process | keyword, number.long | -| | **processes.wired_size** - Bytes of unpageable memory used by process | | -| **working_directory** | **launchd.working_directory** - Key used to specify a directory to chdir to before launch | keyword, text.text | -| **working_disks** | **md_devices.working_disks** - Number of working disks in array | keyword, number.long | -| **working_path** | **shortcut_files.working_path** - Target file directory. | keyword, text.text | -| **world** | **portage_packages.world** - If package is in the world file | keyword, number.long | -| **writable** | **disk_events.writable** - 1 if writable, 0 if not | keyword, number.long | -| **xpath** | **windows_eventlog.xpath** - The custom query to filter events | keyword, text.text | -| **year** | **time.year** - Current year in UTC | keyword, number.long | -| **zero_fill** | **virtual_memory_info.zero_fill** - Total number of zero filled pages. | keyword, number.long | -| **zone** | **azure_instance_metadata.zone** - Availability zone of the VM | keyword, text.text | -| | **ycloud_instance_metadata.zone** - Availability zone of the VM | | +For a full list of fields that can be returned in osquery results, see the [Exported Fields reference](https://www.elastic.co/guide/en/kibana/current/exported-fields-osquery.html) in the Kibana documentation. diff --git a/packages/osquery_manager/manifest.yml b/packages/osquery_manager/manifest.yml index 5f81adf456a..c8c99eddd68 100755 --- a/packages/osquery_manager/manifest.yml +++ b/packages/osquery_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: osquery_manager title: Osquery Manager -version: 1.2.0 +version: 1.2.1 license: basic description: Deploy osquery with Elastic Agent, then run and schedule queries in Kibana type: integration diff --git a/packages/sophos/_dev/build/docs/README.md b/packages/sophos/_dev/build/docs/README.md index 5876eb0ce6c..773304a919e 100644 --- a/packages/sophos/_dev/build/docs/README.md +++ b/packages/sophos/_dev/build/docs/README.md @@ -9,7 +9,7 @@ Currently it accepts logs in syslog format or from a file for the following devi To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). -The syslog format choosen should be `Default`. +The syslog format chosen should be `Default`. ## Compatibility @@ -26,7 +26,9 @@ The `utm` dataset collects Astaro Security Gateway logs. ### XG log -This is the Sophos `xg` dataset. +This is the Sophos `xg` dataset. Reference information about the log formats +can be found in the [Sophos syslog guide]( +https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). {{event "xg"}} diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index 44a15d4c8f3..daa3b2d92ac 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,33 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Remove space from sophos.xg.trans_src_ip field. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Do not modify event.original. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Populate `url.*` fields based on `sophos.xg.url`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Rename `sophos.xg.reason` to `event.reason` (ECS). + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Lowercase `network.transport` as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Format `source.mac` and `destination.mac` as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Set the `event.code` from the message ID (and remove `sophos.xg.message_id`). + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Add `network.community_id`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Reduce event size by removing `client` and `server` fields that are clones of `source` and `destination`, respectively. + type: breaking-change + link: https://github.com/elastic/integrations/pull/3127 - version: "1.2.3" changes: - description: Update pipelines to parse new fields diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log new file mode 100644 index 00000000000..d2144a89ba2 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log @@ -0,0 +1,19 @@ +device="SFW" date=2017-01-31 time=18:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav235" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="c000000b-1485867502" mailsize=400 spamaction="DROP" reason="" src_domainname="iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22258 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +device="SFW" date=2018-06-06 time=10:41:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041108413002 log_type="Anti-Spam" log_component="SMTP" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" email_subject="[SPAM] RPD Spam test: Bulk" mailid="c0000006-1528261885" mailsize=438 spamaction="WARN" reason="Mail detected as PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=56341 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +device="SFW" date=2017-01-31 time=18:36:22 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="gaurav" av_policy_name="None" from_email_address="gaurav2@iview.com" to_email_address="gaurav1@iview.com" email_subject="EMAIL" mailid="<5ab27db7-7bac-82e2-ba40-83ce90577c7f@iview.com>" mailsize=398 spamaction="Accept" reason="" src_domainname="iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22477 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=11:08:08 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041108413004 log_type="Anti-Spam" log_component="SMTP" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" email_subject="Test RBL email" mailid="c0000008-1528263488" mailsize=433 spamaction="DROP" reason="Sender IP address is blacklisted." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=57854 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname="iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=12:52:49 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613011 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="Test failed" mailid="c0000004-1528269769" mailsize=431 spamaction="REJECT" reason="Email could not be SPX- encrypted because password was not found in the Email subject." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60305 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2017-01-31 time=15:46:45 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041101613013 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav235" from_email_address="gaurav2@iview.com" to_email_address="gaurav1@iview.com" email_subject="GP235" mailid="c000000a-1485857789" mailsize=391 spamaction="SANDSTORM ALLOW" reason="Mail is marked Clean by Sophos Sandstorm." src_domainname="iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=11255 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman.local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname="iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=12:59:01 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=046108414002 log_type="Anti-Spam" log_component="POPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="pop8" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" email_subject="RPD Spam test: Bulk" mailid="<13c3aad0-82c0-11d8-c9e1-3c0ea4f8708b@postman.local>" mailsize=0 spamaction="Change Subject" reason="Mail detected as PROBABLE SPAM" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol="TCP" src_port=60742 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=13:00:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=046105614003 log_type="Anti-Spam" log_component="POPS" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" email_subject="Test clean" mailid="" mailsize=0 spamaction="Accept" reason="Mail is Clean" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol="TCP" src_port=60757 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=13:01:42 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=046207415001 log_type="Anti-Spam" log_component="IMAPS" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" email_subject="RPD Spam test: Spam" mailid="<6da55e70-8d61-63fb-df41-35fdf36e94d8@postman.local>" mailsize=0 spamaction="Accept" reason="Mail detected as SPAM" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol="TCP" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=13:02:54 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=046208415002 log_type="Anti-Spam" log_component="IMAPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" email_subject="RPD Spam test: Bulk" mailid="<0a09a814-f3b6-35cc-c94e-1807dab742fc@postman.local>" mailsize=0 spamaction="Accept" reason="Mail detected as PROBABLE SPAM" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol="TCP" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=13:03:58 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=046205615003 log_type="Anti-Spam" log_component="IMAPS" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" email_subject="Clean email" mailid="<3b542388-7bca-5b43-79e6-e21fcd709d8f@postman.local>" mailsize=0 spamaction="Accept" reason="Mail is Clean" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol="TCP" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-05 time=19:11:26 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@Postman.local" email_subject="dd" mailid="c0000005-1528206082" mailsize=421 spamaction="DELIVERED" reason="Email has been delivered to recipient(s)." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=61636 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log-expected.json new file mode 100644 index 00000000000..adc869dd5ea --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-spam.log-expected.json @@ -0,0 +1,1715 @@ +{ + "expected": [ + { + "@timestamp": "2017-01-31T18:28:25.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.233.61", + "port": 25, + "user": { + "email": "gaurav2@iview.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Spam", + "category": [ + "malware", + "network" + ], + "code": "13001", + "kind": "alert", + "original": "device=\"SFW\" date=2017-01-31 time=18:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav235\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"c000000b-1485867502\" mailsize=400 spamaction=\"DROP\" reason=\"\" src_domainname=\"iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22258 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "outcome": "success", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:58l6YYAlS4MiONjMobtnTJYmpWQ=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "Gaurav235", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "email_subject": "RPD Spam Test: Spam", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041107413001", + "log_subtype": "Spam", + "log_type": "Anti-Spam", + "mailid": "c000000b-1485867502", + "mailsize": "400", + "priority": "Warning", + "quarantine_reason": "Spam", + "spamaction": "DROP", + "src_country_code": "R1", + "user_name": "gaurav" + } + }, + "source": { + "bytes": 0, + "domain": "iview.com", + "ip": "10.198.47.71", + "port": 22258, + "user": { + "email": "gaurav1@iview.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T10:41:29.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.16.204", + "port": 25, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Probable Spam", + "category": [ + "malware", + "network" + ], + "code": "13002", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=10:41:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041108413002 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" email_subject=\"[SPAM] RPD Spam test: Bulk\" mailid=\"c0000006-1528261885\" mailsize=438 spamaction=\"WARN\" reason=\"Mail detected as PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=56341 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "outcome": "success", + "reason": "Mail detected as PROBABLE SPAM.", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:abMOcgeJH+xBFHn6l4jTehUSlBI=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.16.204" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "postman", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "[SPAM] RPD Spam test: Bulk", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041108413002", + "log_subtype": "Probable Spam", + "log_type": "Anti-Spam", + "mailid": "c0000006-1528261885", + "mailsize": "438", + "priority": "Warning", + "quarantine_reason": "Spam", + "spamaction": "WARN", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 56341, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-01-31T18:36:22.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.233.61", + "port": 25, + "user": { + "email": "gaurav1@iview.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Clean", + "category": [ + "network" + ], + "code": "13003", + "kind": "event", + "original": "device=\"SFW\" date=2017-01-31 time=18:36:22 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"None\" from_email_address=\"gaurav2@iview.com\" to_email_address=\"gaurav1@iview.com\" email_subject=\"EMAIL\" mailid=\"\u003c5ab27db7-7bac-82e2-ba40-83ce90577c7f@iview.com\u003e\" mailsize=398 spamaction=\"Accept\" reason=\"\" src_domainname=\"iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22477 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:TxMs7HDGo6klbRU54soSJPEvELk=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "email_subject": "EMAIL", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041105613003", + "log_subtype": "Clean", + "log_type": "Anti-Spam", + "mailid": "\u003c5ab27db7-7bac-82e2-ba40-83ce90577c7f@iview.com\u003e", + "mailsize": "398", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "Accept", + "src_country_code": "R1", + "user_name": "gaurav" + } + }, + "source": { + "bytes": 0, + "domain": "iview.com", + "ip": "10.198.47.71", + "port": 22477, + "user": { + "email": "gaurav2@iview.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T11:08:08.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.17.121", + "port": 25, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Probable Spam", + "category": [ + "malware", + "network" + ], + "code": "13004", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=11:08:08 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041108413004 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" email_subject=\"Test RBL email\" mailid=\"c0000008-1528263488\" mailsize=433 spamaction=\"DROP\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=57854 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "outcome": "success", + "reason": "Sender IP address is blacklisted.", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:NvdaEFP3A+xwUrbF32GvYv4ezIE=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "postman", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "Test RBL email", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041108413004", + "log_subtype": "Probable Spam", + "log_type": "Anti-Spam", + "mailid": "c0000008-1528263488", + "mailsize": "433", + "priority": "Warning", + "quarantine_reason": "RBL", + "spamaction": "DROP", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 57854, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.233.61", + "port": 25, + "user": { + "email": "gaurav2@iview.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Outbound Spam", + "category": [ + "malware", + "network" + ], + "code": "13005", + "kind": "alert", + "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\"iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "outcome": "success", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:cZ39MftFvT3s1y8vN0AHxj2KZII=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "Gaurav123", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "email_subject": "RPD Spam Test: Spam", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041113413005", + "log_subtype": "Outbound Spam", + "log_type": "Anti-Spam", + "mailid": "\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e", + "mailsize": "405", + "priority": "Warning", + "quarantine_reason": "Spam", + "spamaction": "Accept", + "src_country_code": "R1", + "user_name": "gaurav" + } + }, + "source": { + "bytes": 0, + "domain": "iview.com", + "ip": "10.198.47.71", + "port": 22420, + "user": { + "email": "gaurav1@iview.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Outbound Probable Spam", + "category": [ + "malware", + "network" + ], + "code": "13006", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "outcome": "success", + "reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:4pL1g2Wx0xpVOFsPZ927l+yIPiU=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "rule 8", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "RPD Spam test: Bulk", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041114413006", + "log_subtype": "Outbound Probable Spam", + "log_type": "Anti-Spam", + "mailid": "\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e", + "mailsize": "439", + "priority": "Warning", + "quarantine_reason": "Spam", + "spamaction": "Drop", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 58043, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.17.121", + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLP", + "category": [ + "malware", + "network" + ], + "code": "13009", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "outcome": "success", + "reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:a0QO0XDedN9BRtTg60uWTq/zaCQ=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "postman", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "Fwd: TESt", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041121613009", + "log_subtype": "DLP", + "log_type": "Anti-Spam", + "mailid": "c0000002-1528269606", + "mailsize": "5041", + "priority": "Information", + "quarantine_reason": "DLP", + "spamaction": "DROP", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60134, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.16.204", + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SPX", + "category": [ + "network" + ], + "code": "13010", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:Gh3yGHw3PI8ixdFOiZO3wKa8qrI=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.16.204" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "[secure:pankhil]", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041122613010", + "log_subtype": "SPX", + "log_type": "Anti-Spam", + "mailid": "c0000003-1528269693", + "mailsize": "442", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "Accept", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60298, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:52:49.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.16.204", + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SPX", + "category": [ + "network" + ], + "code": "13011", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-06 time=12:52:49 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613011 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"Test failed\" mailid=\"c0000004-1528269769\" mailsize=431 spamaction=\"REJECT\" reason=\"Email could not be SPX- encrypted because password was not found in the Email subject.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60305 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Email could not be SPX- encrypted because password was not found in the Email subject.", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:o9GcBl2rXdCj4Z5eJViWo5SqDbE=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.16.204" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "Test failed", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041122613011", + "log_subtype": "SPX", + "log_type": "Anti-Spam", + "mailid": "c0000004-1528269769", + "mailsize": "431", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "REJECT", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60305, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.17.121", + "port": 25 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Dos", + "category": [ + "intrusion_detection", + "network" + ], + "code": "13012", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "SMTP DoS", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:kePcBIa66amVdXctNnMv73KAlD8=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041123413012", + "log_subtype": "Dos", + "log_type": "Anti-Spam", + "mailsize": "0", + "priority": "Warning", + "quarantine_reason": "Other", + "spamaction": "TMPREJECT", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.16.121", + "port": 60392 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-01-31T15:46:45.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.233.61", + "port": 25, + "user": { + "email": "gaurav1@iview.com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Allowed", + "category": [ + "network" + ], + "code": "13013", + "kind": "event", + "original": "device=\"SFW\" date=2017-01-31 time=15:46:45 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041101613013 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav235\" from_email_address=\"gaurav2@iview.com\" to_email_address=\"gaurav1@iview.com\" email_subject=\"GP235\" mailid=\"c000000a-1485857789\" mailsize=391 spamaction=\"SANDSTORM ALLOW\" reason=\"Mail is marked Clean by Sophos Sandstorm.\" src_domainname=\"iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=11255 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail is marked Clean by Sophos Sandstorm.", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:is/QwrkxpayBwGh5R1/esrSbZ3A=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "Gaurav235", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "email_subject": "GP235", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041101613013", + "log_subtype": "Allowed", + "log_type": "Anti-Spam", + "mailid": "c000000a-1485857789", + "mailsize": "391", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "SANDSTORM ALLOW", + "src_country_code": "R1", + "user_name": "gaurav" + } + }, + "source": { + "bytes": 0, + "domain": "iview.com", + "ip": "10.198.47.71", + "port": 11255, + "user": { + "email": "gaurav2@iview.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.17.121", + "port": 25, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Denied", + "category": [ + "malware", + "network" + ], + "code": "13014", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman.local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "outcome": "success", + "reason": "Email is marked Malicious by Sophos Sandstorm.", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:s4oqzO6RVrUrT4HCROvCsRxyngM=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "postman", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "Fwd: test sand", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041102413014", + "log_subtype": "Denied", + "log_type": "Anti-Spam", + "mailid": "c0000008-1528270010", + "mailsize": "419835", + "priority": "Warning", + "spamaction": "DROP", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60608, + "user": { + "email": "pankhil1@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.233.61", + "port": 110, + "user": { + "email": "gaurav2@iview. com" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Spam", + "category": [ + "malware", + "network" + ], + "code": "14001", + "kind": "alert", + "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\"iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:E/1TIGuzeeJuVhq04jui66hWf/Q=", + "protocol": "pop3", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "GauravPatel", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "dst_domainname": "iview.com", + "email_subject": "RPD Spam Test: Spam", + "fw_rule_id": "0", + "log_component": "POP3", + "log_id": "041207414001", + "log_subtype": "Spam", + "log_type": "Anti-Spam", + "mailid": "\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e", + "mailsize": "574", + "priority": "Warning", + "quarantine_reason": "Other", + "spamaction": "Accept", + "src_country_code": "R1", + "user_name": "gaurav" + } + }, + "source": { + "bytes": 0, + "domain": "iview.com", + "ip": "10.198.47.71", + "port": 22333, + "user": { + "email": "gaurav1@iview.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T12:59:01.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 995, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Probable Spam", + "category": [ + "malware", + "network" + ], + "code": "14002", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=12:59:01 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=046108414002 log_type=\"Anti-Spam\" log_component=\"POPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"pop8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003c13c3aad0-82c0-11d8-c9e1-3c0ea4f8708b@postman.local\u003e\" mailsize=0 spamaction=\"Change Subject\" reason=\"Mail detected as PROBABLE SPAM\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol=\"TCP\" src_port=60742 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail detected as PROBABLE SPAM", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:oUKghgmwrhA1Xw2ZUaHjKH6Pay0=", + "protocol": "pop3s", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "pop8", + "device": "SFW", + "device_name": "SG430", + "email_subject": "RPD Spam test: Bulk", + "fw_rule_id": "0", + "log_component": "POPS", + "log_id": "046108414002", + "log_subtype": "Probable Spam", + "log_type": "Anti-Spam", + "mailid": "\u003c13c3aad0-82c0-11d8-c9e1-3c0ea4f8708b@postman.local\u003e", + "mailsize": "0", + "priority": "Warning", + "quarantine_reason": "Other", + "spamaction": "Change Subject" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60742, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T13:00:34.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 995, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Clean", + "category": [ + "network" + ], + "code": "14003", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-06 time=13:00:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=046105614003 log_type=\"Anti-Spam\" log_component=\"POPS\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" email_subject=\"Test clean\" mailid=\"\u003cb4ac9385-437d-7cd1-1089-ef09fb3066fa@postman.local\u003e\" mailsize=0 spamaction=\"Accept\" reason=\"Mail is Clean\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol=\"TCP\" src_port=60757 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail is Clean", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:DuidWxTTdSsPRBFLr5t708mTGNU=", + "protocol": "pop3s", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "email_subject": "Test clean", + "fw_rule_id": "0", + "log_component": "POPS", + "log_id": "046105614003", + "log_subtype": "Clean", + "log_type": "Anti-Spam", + "mailid": "\u003cb4ac9385-437d-7cd1-1089-ef09fb3066fa@postman.local\u003e", + "mailsize": "0", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "Accept" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 60757, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T13:01:42.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 993, + "user": { + "email": "ganga@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Spam", + "category": [ + "malware", + "network" + ], + "code": "15001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=13:01:42 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=046207415001 log_type=\"Anti-Spam\" log_component=\"IMAPS\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" email_subject=\"RPD Spam test: Spam\" mailid=\"\u003c6da55e70-8d61-63fb-df41-35fdf36e94d8@postman.local\u003e\" mailsize=0 spamaction=\"Accept\" reason=\"Mail detected as SPAM\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol=\"TCP\" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail detected as SPAM", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:n/9oJCh3spT9n+qgYjYhXd5cipE=", + "protocol": "imaps", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "email_subject": "RPD Spam test: Spam", + "fw_rule_id": "0", + "log_component": "IMAPS", + "log_id": "046207415001", + "log_subtype": "Spam", + "log_type": "Anti-Spam", + "mailid": "\u003c6da55e70-8d61-63fb-df41-35fdf36e94d8@postman.local\u003e", + "mailsize": "0", + "priority": "Warning", + "quarantine_reason": "Other", + "spamaction": "Accept" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 58595, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T13:02:54.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 993, + "user": { + "email": "ganga@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Probable Spam", + "category": [ + "malware", + "network" + ], + "code": "15002", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=13:02:54 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=046208415002 log_type=\"Anti-Spam\" log_component=\"IMAPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003c0a09a814-f3b6-35cc-c94e-1807dab742fc@postman.local\u003e\" mailsize=0 spamaction=\"Accept\" reason=\"Mail detected as PROBABLE SPAM\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol=\"TCP\" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail detected as PROBABLE SPAM", + "severity": 4, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:n/9oJCh3spT9n+qgYjYhXd5cipE=", + "protocol": "imaps", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "email_subject": "RPD Spam test: Bulk", + "fw_rule_id": "0", + "log_component": "IMAPS", + "log_id": "046208415002", + "log_subtype": "Probable Spam", + "log_type": "Anti-Spam", + "mailid": "\u003c0a09a814-f3b6-35cc-c94e-1807dab742fc@postman.local\u003e", + "mailsize": "0", + "priority": "Warning", + "quarantine_reason": "Other", + "spamaction": "Accept" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 58595, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T13:03:58.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 993, + "user": { + "email": "ganga@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Clean", + "category": [ + "network" + ], + "code": "15003", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-06 time=13:03:58 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=046205615003 log_type=\"Anti-Spam\" log_component=\"IMAPS\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" email_subject=\"Clean email\" mailid=\"\u003c3b542388-7bca-5b43-79e6-e21fcd709d8f@postman.local\u003e\" mailsize=0 spamaction=\"Accept\" reason=\"Mail is Clean\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code= dst_ip=10.198.234.240 dst_country_code= protocol=\"TCP\" src_port=58595 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Mail is Clean", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:n/9oJCh3spT9n+qgYjYhXd5cipE=", + "protocol": "imaps", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "email_subject": "Clean email", + "fw_rule_id": "0", + "log_component": "IMAPS", + "log_id": "046205615003", + "log_subtype": "Clean", + "log_type": "Anti-Spam", + "mailid": "\u003c3b542388-7bca-5b43-79e6-e21fcd709d8f@postman.local\u003e", + "mailsize": "0", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "Accept" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 58595, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T19:11:26.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.16.204", + "port": 25, + "user": { + "email": "pankhil@Postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Allowed", + "category": [ + "network" + ], + "code": "18035", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=19:11:26 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@Postman.local\" email_subject=\"dd\" mailid=\"c0000005-1528206082\" mailsize=421 spamaction=\"DELIVERED\" reason=\"Email has been delivered to recipient(s).\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=61636 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "reason": "Email has been delivered to recipient(s).", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:w7128i0i0NX5CvQ/yBHqcVXh0Io=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.16.204" + ] + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "email_subject": "dd", + "fw_rule_id": "0", + "log_component": "SMTP", + "log_id": "041101618035", + "log_subtype": "Allowed", + "log_type": "Anti-Spam", + "mailid": "c0000005-1528206082", + "mailsize": "421", + "priority": "Information", + "quarantine_reason": "Other", + "spamaction": "DELIVERED", + "src_country_code": "R1" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 61636, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log new file mode 100644 index 00000000000..717168ed9bb --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log @@ -0,0 +1,2 @@ +device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename="/home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user/ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="example.com" sent_bytes=0 recv_bytes=19926248 \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log-expected.json new file mode 100644 index 00000000000..d5ad1c8cdd1 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-ftp.log-expected.json @@ -0,0 +1,177 @@ +{ + "expected": [ + { + "@timestamp": "2018-06-21T19:50:23.000Z", + "destination": { + "bytes": 0, + "ip": "10.8.142.181", + "port": 21 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "09001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\"/home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "file": { + "directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "name": "/home/ftp-user/ta_test_file_1ta-cl1-46", + "size": 0 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 0, + "community_id": "1:pEAtCi2v+cfDLsHaWvO82/Ahn0k=", + "protocol": "ftp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-2df0960", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.146.13.49", + "10.8.142.181" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SF01V", + "dst_country_code": "R1", + "ftp_direction": "Upload", + "ftp_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "ftpcommand": "STOR", + "log_component": "FTP", + "log_id": "031006209001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "priority": "Critical", + "src_country_code": "R1", + "virus": "EICAR-AV-Test" + } + }, + "source": { + "bytes": 0, + "ip": "10.146.13.49", + "port": 39910 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000Z", + "destination": { + "bytes": 19926248, + "domain": "example.com", + "ip": "10.8.142.181", + "port": 21 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Allowed", + "category": [ + "network" + ], + "code": "09002", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"example.com\" sent_bytes=0 recv_bytes=19926248", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "file": { + "directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "name": "/home/ftp-user/ta_test_file_1ta-cl1-46", + "size": 19926248 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 19926248, + "community_id": "1:hUeUw/6dIhcWCOgAeWChZiMq1qA=", + "protocol": "ftp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-2df0960", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "example.com" + ], + "ip": [ + "10.146.13.49", + "10.8.142.181" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SF01V", + "ftp_direction": "Download", + "ftp_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "ftpcommand": "RETR", + "log_component": "FTP", + "log_id": "031001609002", + "log_subtype": "Allowed", + "log_type": "Anti-Virus", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "10.146.13.49", + "port": 39936 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log new file mode 100644 index 00000000000..f7866baab44 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log @@ -0,0 +1,3 @@ +device="SFW" date=2018-06-06 time=10:44:40 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="virus infected message" mailid="c0000007-1528262079" mailsize=2064 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=56428 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=" Infected" +device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV- Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log-expected.json new file mode 100644 index 00000000000..0a852b1ad68 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-smtp.log-expected.json @@ -0,0 +1,283 @@ +{ + "expected": [ + { + "@timestamp": "2018-06-06T10:44:40.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.17.121", + "port": 25, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "10001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=10:44:40 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"virus infected message\" mailid=\"c0000007-1528262079\" mailsize=2064 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=56428 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\" Infected\"", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 0, + "community_id": "1:/s4RRYmRyH8lqMULh9n00Z6AVA8=", + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "av_policy_name": "postman", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "log_component": "SMTP", + "log_id": "031106210001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "mailid": "c0000007-1528262079", + "mailsize": "2064", + "priority": "Critical", + "quarantine_reason": " Infected", + "src_country_code": "R1", + "subject": "virus infected message", + "virus": "EICAR-AV-Test" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 56428, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T10:51:29.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 995, + "user": { + "email": "pankhil@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "11001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 0, + "community_id": "1:miDZMZyHzg1ArtBIc4N8695JaWk=", + "protocol": "pop3s", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "log_component": "POPS", + "log_id": "036106211001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "mailid": "\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e", + "mailsize": "0", + "priority": "Critical", + "quarantine_reason": "Other", + "src_country_code": "R1", + "subject": "EICAR", + "virus": "EICAR-AV-Test" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 56653, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-06T10:58:29.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.234.240", + "port": 993, + "user": { + "email": "ganga@postman.local" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "12001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV- Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 0, + "community_id": "1:brG0+fyFYq1h9huQh5nQ8cHjL5E=", + "protocol": "imaps", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "S4000806149EE49", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "av_policy_name": "None", + "device": "SFW", + "device_name": "SG430", + "dst_country_code": "R1", + "log_component": "IMAPS", + "log_id": "036206212001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "mailid": "\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e", + "mailsize": "0", + "priority": "Critical", + "quarantine_reason": "Other", + "src_country_code": "R1", + "subject": "EICAR test email", + "virus": "EICAR-AV- Test" + } + }, + "source": { + "bytes": 0, + "domain": "postman.local", + "ip": "10.198.16.121", + "port": 56632, + "user": { + "email": "pankhil@postman.local" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log new file mode 100644 index 00000000000..03dcfd53926 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log @@ -0,0 +1,2 @@ +device="SFW" date=2016-12-02 time=18:48:18 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=034806208001 log_type="Anti-Virus" log_component="HTTPS" log_subtype="Virus" priority=Critical fw_rule_id=2 user_name="rich" iap=13 virus="EICAR-AV-Test" url="https://secure.eicar.org/eicar.com" domainname="secure.eicar.org" src_ip=192.168.73.220 src_country_code=R1 dst_ip=216.160.83.61 dst_country_code=DEU protocol="TCP" src_port=51499 dst_port=443 sent_bytes=0 recv_bytes=353 +device="SFW" date=2016-12-02 time=18:57:57 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" priority=Critical fw_rule_id=0 user_name="rich" iap=13 virus="Sandstorm" url="http://floater.baldrys.ca/badb.exe" domainname="floater.baldrys.ca" src_ip=192.168.73.220 src_country_code=R1 dst_ip=192.168.73.220 dst_country_code=R1 protocol="TCP" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=1594715 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log-expected.json new file mode 100644 index 00000000000..ad8b80dd24e --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-anti-virus-web.log-expected.json @@ -0,0 +1,210 @@ +{ + "expected": [ + { + "@timestamp": "2016-12-02T18:48:18.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 353, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "08001", + "kind": "alert", + "original": "device=\"SFW\" date=2016-12-02 time=18:48:18 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=034806208001 log_type=\"Anti-Virus\" log_component=\"HTTPS\" log_subtype=\"Virus\" priority=Critical fw_rule_id=2 user_name=\"rich\" iap=13 virus=\"EICAR-AV-Test\" url=\"https://secure.eicar.org/eicar.com\" domainname=\"secure.eicar.org\" src_ip=192.168.73.220 src_country_code=R1 dst_ip=216.160.83.61 dst_country_code=DEU protocol=\"TCP\" src_port=51499 dst_port=443 sent_bytes=0 recv_bytes=353", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 353, + "community_id": "1:pXQp5es2PyNVnMf24vl407J45fs=", + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "secure.eicar.org" + ], + "ip": [ + "192.168.73.220", + "216.160.83.61" + ], + "user": [ + "rich" + ] + }, + "rule": { + "id": "2" + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "dst_country_code": "DEU", + "iap": "13", + "log_component": "HTTPS", + "log_id": "034806208001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "priority": "Critical", + "src_country_code": "R1", + "virus": "EICAR-AV-Test" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 51499, + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "secure.eicar.org", + "extension": "com", + "full": "https://secure.eicar.org/eicar.com", + "original": "https://secure.eicar.org/eicar.com", + "path": "/eicar.com", + "scheme": "https" + } + }, + { + "@timestamp": "2016-12-02T18:57:57.000Z", + "destination": { + "bytes": 1594715, + "ip": "192.168.73.220", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Virus", + "category": [ + "malware", + "network" + ], + "code": "08001", + "kind": "alert", + "original": "device=\"SFW\" date=2016-12-02 time=18:57:57 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" priority=Critical fw_rule_id=0 user_name=\"rich\" iap=13 virus=\"Sandstorm\" url=\"http://floater.baldrys.ca/badb.exe\" domainname=\"floater.baldrys.ca\" src_ip=192.168.73.220 src_country_code=R1 dst_ip=192.168.73.220 dst_country_code=R1 protocol=\"TCP\" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=1594715", + "outcome": "success", + "severity": 2, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "network": { + "bytes": 1594715, + "community_id": "1:4ao/YhRCSn5/cM88NdWtPMdl8U8=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220" + ], + "user": [ + "rich" + ] + }, + "rule": { + "id": "0" + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "dst_country_code": "R1", + "iap": "13", + "log_component": "HTTP", + "log_id": "030906208001", + "log_subtype": "Virus", + "log_type": "Anti-Virus", + "priority": "Critical", + "src_country_code": "R1", + "virus": "Sandstorm" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 54110, + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca", + "extension": "exe", + "full": "http://floater.baldrys.ca/badb.exe", + "original": "http://floater.baldrys.ca/badb.exe", + "path": "/badb.exe", + "scheme": "http" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log new file mode 100644 index 00000000000..31c1ef763c4 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log @@ -0,0 +1,2 @@ +device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol=" ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=81.2.69.193 url=81.2.69.193 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="gaurav" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=67.43.156.12 url=67.43.156.12 threatname=C2 /Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log-expected.json new file mode 100644 index 00000000000..5de7ecb51de --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-atp-firewall.log-expected.json @@ -0,0 +1,183 @@ +{ + "expected": [ + { + "@timestamp": "2018-06-05T08:49:00.000Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.193", + "port": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "alert", + "category": [ + "intrusion_detection", + "network" + ], + "code": "18009", + "id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\" ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=81.2.69.193 url=81.2.69.193 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "outcome": "success", + "severity": 5, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "notification" + }, + "network": { + "transport": " icmp" + }, + "observer": { + "product": "XG", + "serial_number": "C30006T22TGR89B", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.32.89", + "81.2.69.193" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "XG310", + "eventtype": "Standard", + "log_component": "Firewall", + "log_id": "086320518009", + "log_subtype": "Alert", + "log_type": "ATP", + "priority": "Notice", + "threatname": "C2/Generic-A" + } + }, + "source": { + "ip": "10.198.32.89", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "81.2.69.193" + } + }, + { + "@timestamp": "2017-01-31T18:44:31.000Z", + "destination": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "drop", + "category": [ + "intrusion_detection", + "network" + ], + "code": "18010", + "id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "kind": "alert", + "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"gaurav\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=67.43.156.12 url=67.43.156.12 threatname=C2 /Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "outcome": "success", + "severity": 4, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "community_id": "1:nB9nte3WRkewayDVwPW2FGsg5L0=", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.47.71", + "67.43.156.12" + ], + "user": [ + "gaurav" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "CR750iNG-XP", + "eventtype": "Standard", + "log_component": "Firewall", + "log_id": "086304418010", + "log_subtype": "Drop", + "log_type": "ATP", + "priority": "Warning", + "threatname": "C2 /Generic-A" + } + }, + "source": { + "ip": "10.198.47.71", + "port": 22623, + "user": { + "name": "gaurav" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "67.43.156.12" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log new file mode 100644 index 00000000000..b081decbe66 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log @@ -0,0 +1,3 @@ +device="SFW" date=2017-01-31 time=18:13:38 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="gaurav" usergroupname="Open Group" auth_client="Web Client" auth_mechanism="Local" reason="" src_ip=10.198.47.71 message="User gaurav of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.198.47.71" name="gaurav" src_mac= +device="SFW" date=2017-03-15 time=14:33:37 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=063010617707 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="gaurav" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=10.198.233.49 message="User gaurav logged in successfully to L2TP through Local authentication mechanism" name="" src_mac= +device="SFW" date=2017-03-15 time=17:23:00 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="gaurav" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=10.198.233.49 message="User gaurav authenticated successfully to login to SSLVPN through Local authentication mechanism" name="" src_mac= \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log-expected.json new file mode 100644 index 00000000000..3c18e225bb6 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-authentication.log-expected.json @@ -0,0 +1,215 @@ +{ + "expected": [ + { + "@timestamp": "2017-01-31T18:13:38.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "authentication" + ], + "code": "17701", + "kind": "event", + "original": "device=\"SFW\" date=2017-01-31 time=18:13:38 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"gaurav\" usergroupname=\"Open Group\" auth_client=\"Web Client\" auth_mechanism=\"Local\" reason=\"\" src_ip=10.198.47.71 message=\"User gaurav of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.198.47.71\" name=\"gaurav\" src_mac=", + "outcome": "success", + "severity": 6, + "type": [ + "user", + "start" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "message": "User gaurav of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.198.47.71", + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.47.71" + ], + "user": [ + "gaurav" + ] + }, + "sophos": { + "xg": { + "auth_client": "Web Client", + "auth_mechanism": "Local", + "device": "SFW", + "device_name": "CR750iNG-XP", + "log_component": "Firewall Authentication", + "log_id": "062910617701", + "log_subtype": "Authentication", + "log_type": "Event", + "priority": "Information", + "status": "Successful" + } + }, + "source": { + "ip": "10.198.47.71", + "user": { + "group": { + "name": "Open Group" + }, + "name": "gaurav" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "gaurav" + } + }, + { + "@timestamp": "2017-03-15T14:33:37.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "authentication" + ], + "code": "17707", + "kind": "event", + "original": "device=\"SFW\" date=2017-03-15 time=14:33:37 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=063010617707 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"gaurav\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=10.198.233.49 message=\"User gaurav logged in successfully to L2TP through Local authentication mechanism\" name=\"\" src_mac=", + "outcome": "success", + "severity": 6, + "type": [ + "user", + "start" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "message": "User gaurav logged in successfully to L2TP through Local authentication mechanism", + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.233.49" + ], + "user": [ + "gaurav" + ] + }, + "sophos": { + "xg": { + "auth_mechanism": "Local", + "device": "SFW", + "device_name": "CR750iNG-XP", + "log_component": "VPN Authentication", + "log_id": "063010617707", + "log_subtype": "Authentication", + "log_type": "Event", + "priority": "Information", + "status": "Successful" + } + }, + "source": { + "ip": "10.198.233.49", + "user": { + "name": "gaurav" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "gaurav" + } + }, + { + "@timestamp": "2017-03-15T17:23:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "authentication" + ], + "code": "17710", + "kind": "event", + "original": "device=\"SFW\" date=2017-03-15 time=17:23:00 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"gaurav\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=10.198.233.49 message=\"User gaurav authenticated successfully to login to SSLVPN through Local authentication mechanism\" name=\"\" src_mac=", + "outcome": "success", + "severity": 6, + "type": [ + "user", + "start" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "message": "User gaurav authenticated successfully to login to SSLVPN through Local authentication mechanism", + "observer": { + "product": "XG", + "serial_number": "C44313350024-P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.233.49" + ], + "user": [ + "gaurav" + ] + }, + "sophos": { + "xg": { + "auth_mechanism": "Local", + "device": "SFW", + "device_name": "CR750iNG-XP", + "log_component": "SSL VPN Authentication", + "log_id": "063110617710", + "log_subtype": "Authentication", + "log_type": "Event", + "priority": "Information", + "status": "Successful" + } + }, + "source": { + "ip": "10.198.233.49", + "user": { + "name": "gaurav" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "gaurav" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log new file mode 100644 index 00000000000..3944da28a60 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log @@ -0,0 +1,8 @@ +device="SFW" date=2016-12-02 time=18:27:03 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="None" category_type="" url="http://floater.baldrys.ca/adsenum.exe" contenttype="application/octet-stream" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.13 protocol="TCP" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=15940 domain=floater.baldrys.ca exceptions= activityname="" reason="cached clean" +device="SFW" date=2016-12-02 time=18:35:51 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" priority=Information fw_rule_id=0 user_name="rich" user_gp="" iap=13 category="None" category_type="" url="http://floater.baldrys.ca/usemem.exe" contenttype="application/octet-stream" override_token="" src_ip=192.168.73.220 dst_ip=192.168.73.220 protocol="TCP" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=321677 domain=floater.baldrys.ca exceptions= activityname="" reason=" cloud clean" +device="SFW" date=2016-12-02 time=19:21:41 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Information Technology" category_type=" Acceptable" url="https://the.earth.li/~sgtatham/putty/0.67/x86/putty.exe" contenttype="application/x-msdos-program" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.12 protocol="TCP" src_port=51570 dst_port=443 sent_bytes=0 recv_bytes=531659 domain=the.earth.li exceptions= activityname="" reason="eligible" +device="SFW" date=2016-12-02 time=19:21:59 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="General Business" category_type=" Acceptable" url="http://ads.adaptv.advertising.com/a/h/WWEVd91PNug3Es_Gwp40Tnr0FIh9nkWQ?cb=1481065476497&pet=preroll&pageUrl=http%3A%2F%2Fbbc.com%2F&eov=eov&a.cluster=0&a.pvt=0&width=300&height=250&a.sdk=adaptv&a.sdkType=js&a.d.pageUrl=http%3A%2F%2Fwww.bbc.com%2Fsport&referrerUrl=http%3A%2F%2Fwww.bbc.com%2Fearth%2Fworld&depth=0&p.vw.active=-1&p.vw.area=-1&p.vw.domId=-1&p.vw.framerate=-1&p.vw.geometric=-1&p.vw.pHeight=0&p.vw.psize=-1&p.vw.pWidth=0&p.vw.viewable=-1&p.vw.viewableOpportunity=-1" contenttype="text/xml" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.14 protocol="TCP" src_port=56477 dst_port=80 sent_bytes=0 recv_bytes=3672 domain=ads.adaptv.advertising.com exceptions= activityname="" reason="not eligible" +device="SFW" date=2016-12-02 time=18:26:43 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="None" category_type="" url="http://floater.baldrys.ca/badb.exe" contenttype="application/octet-stream" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.13 protocol="TCP" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=1594715 domain=floater.baldrys.ca exceptions= activityname="" reason="pending" +device="SFW" date=2016-12-02 time=19:30:33 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=14 category="Financial Services" category_type="Unproductive" url="https://www.vancity.com/" contenttype="" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.15 protocol="TCP" src_port=60444 dst_port=443 sent_bytes=0 recv_bytes=0 domain=www.vancity.com exceptions= activityname=" Finance & Investing" reason="" +device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" src_ip=192.168.73.220 dst_ip=67.43.156.15 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname="Search" reason="" +device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" src_ip=192.168.73.220 dst_ip=81.2.69.144 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www. google.ca exceptions= activityname="Search" reason="not eligible" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log-expected.json new file mode 100644 index 00000000000..a5528a02e42 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-http.log-expected.json @@ -0,0 +1,850 @@ +{ + "expected": [ + { + "@timestamp": "2016-12-02T18:27:03.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 15940, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "16001", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:27:03 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"None\" category_type=\"\" url=\"http://floater.baldrys.ca/adsenum.exe\" contenttype=\"application/octet-stream\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.13 protocol=\"TCP\" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=15940 domain=floater.baldrys.ca exceptions= activityname=\"\" reason=\"cached clean\"", + "outcome": "success", + "reason": "cached clean", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 15940, + "community_id": "1:A533V8KpijZTUOuXt+PhEWpnluA=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220", + "67.43.156.13" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "category": "None", + "contenttype": "application/octet-stream", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050901616001", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 54110, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca", + "extension": "exe", + "full": "http://floater.baldrys.ca/adsenum.exe", + "original": "http://floater.baldrys.ca/adsenum.exe", + "path": "/adsenum.exe", + "scheme": "http" + } + }, + { + "@timestamp": "2016-12-02T18:35:51.000Z", + "destination": { + "bytes": 321677, + "ip": "192.168.73.220", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "16001", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:35:51 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=0 user_name=\"rich\" user_gp=\"\" iap=13 category=\"None\" category_type=\"\" url=\"http://floater.baldrys.ca/usemem.exe\" contenttype=\"application/octet-stream\" override_token=\"\" src_ip=192.168.73.220 dst_ip=192.168.73.220 protocol=\"TCP\" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=321677 domain=floater.baldrys.ca exceptions= activityname=\"\" reason=\" cloud clean\"", + "outcome": "success", + "reason": " cloud clean", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 321677, + "community_id": "1:4ao/YhRCSn5/cM88NdWtPMdl8U8=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "category": "None", + "contenttype": "application/octet-stream", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "0", + "iap": "13", + "log_component": "HTTP", + "log_id": "050901616001", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 54110, + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca", + "extension": "exe", + "full": "http://floater.baldrys.ca/usemem.exe", + "original": "http://floater.baldrys.ca/usemem.exe", + "path": "/usemem.exe", + "scheme": "http" + } + }, + { + "@timestamp": "2016-12-02T19:21:41.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 531659, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "16001", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=19:21:41 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Information Technology\" category_type=\" Acceptable\" url=\"https://the.earth.li/~sgtatham/putty/0.67/x86/putty.exe\" contenttype=\"application/x-msdos-program\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.12 protocol=\"TCP\" src_port=51570 dst_port=443 sent_bytes=0 recv_bytes=531659 domain=the.earth.li exceptions= activityname=\"\" reason=\"eligible\"", + "outcome": "success", + "reason": "eligible", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 531659, + "community_id": "1:Rx2NAbhO+cUNx7MOYl+KZ/KqxR8=", + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "the.earth.li" + ], + "ip": [ + "192.168.73.220", + "67.43.156.12" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "category": "Information Technology", + "category_type": " Acceptable", + "contenttype": "application/x-msdos-program", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050901616001", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 51570, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "the.earth.li", + "extension": "exe", + "full": "https://the.earth.li/~sgtatham/putty/0.67/x86/putty.exe", + "original": "https://the.earth.li/~sgtatham/putty/0.67/x86/putty.exe", + "path": "/~sgtatham/putty/0.67/x86/putty.exe", + "scheme": "https" + } + }, + { + "@timestamp": "2016-12-02T19:21:59.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 3672, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "16001", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=19:21:59 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"General Business\" category_type=\" Acceptable\" url=\"http://ads.adaptv.advertising.com/a/h/WWEVd91PNug3Es_Gwp40Tnr0FIh9nkWQ?cb=1481065476497\u0026pet=preroll\u0026pageUrl=http%3A%2F%2Fbbc.com%2F\u0026eov=eov\u0026a.cluster=0\u0026a.pvt=0\u0026width=300\u0026height=250\u0026a.sdk=adaptv\u0026a.sdkType=js\u0026a.d.pageUrl=http%3A%2F%2Fwww.bbc.com%2Fsport\u0026referrerUrl=http%3A%2F%2Fwww.bbc.com%2Fearth%2Fworld\u0026depth=0\u0026p.vw.active=-1\u0026p.vw.area=-1\u0026p.vw.domId=-1\u0026p.vw.framerate=-1\u0026p.vw.geometric=-1\u0026p.vw.pHeight=0\u0026p.vw.psize=-1\u0026p.vw.pWidth=0\u0026p.vw.viewable=-1\u0026p.vw.viewableOpportunity=-1\" contenttype=\"text/xml\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.14 protocol=\"TCP\" src_port=56477 dst_port=80 sent_bytes=0 recv_bytes=3672 domain=ads.adaptv.advertising.com exceptions= activityname=\"\" reason=\"not eligible\"", + "outcome": "success", + "reason": "not eligible", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 3672, + "community_id": "1:0QC4IPLl7ucQNCsWUyc5nb6AHMM=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "ads.adaptv.advertising.com" + ], + "ip": [ + "192.168.73.220", + "67.43.156.14" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "category": "General Business", + "category_type": " Acceptable", + "contenttype": "text/xml", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050901616001", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 56477, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "ads.adaptv.advertising.com", + "full": "http://ads.adaptv.advertising.com/a/h/WWEVd91PNug3Es_Gwp40Tnr0FIh9nkWQ?cb=1481065476497\u0026pet=preroll\u0026pageUrl=http%3A%2F%2Fbbc.com%2F\u0026eov=eov\u0026a.cluster=0\u0026a.pvt=0\u0026width=300\u0026height=250\u0026a.sdk=adaptv\u0026a.sdkType=js\u0026a.d.pageUrl=http%3A%2F%2Fwww.bbc.com%2Fsport\u0026referrerUrl=http%3A%2F%2Fwww.bbc.com%2Fearth%2Fworld\u0026depth=0\u0026p.vw.active=-1\u0026p.vw.area=-1\u0026p.vw.domId=-1\u0026p.vw.framerate=-1\u0026p.vw.geometric=-1\u0026p.vw.pHeight=0\u0026p.vw.psize=-1\u0026p.vw.pWidth=0\u0026p.vw.viewable=-1\u0026p.vw.viewableOpportunity=-1", + "original": "http://ads.adaptv.advertising.com/a/h/WWEVd91PNug3Es_Gwp40Tnr0FIh9nkWQ?cb=1481065476497\u0026pet=preroll\u0026pageUrl=http%3A%2F%2Fbbc.com%2F\u0026eov=eov\u0026a.cluster=0\u0026a.pvt=0\u0026width=300\u0026height=250\u0026a.sdk=adaptv\u0026a.sdkType=js\u0026a.d.pageUrl=http%3A%2F%2Fwww.bbc.com%2Fsport\u0026referrerUrl=http%3A%2F%2Fwww.bbc.com%2Fearth%2Fworld\u0026depth=0\u0026p.vw.active=-1\u0026p.vw.area=-1\u0026p.vw.domId=-1\u0026p.vw.framerate=-1\u0026p.vw.geometric=-1\u0026p.vw.pHeight=0\u0026p.vw.psize=-1\u0026p.vw.pWidth=0\u0026p.vw.viewable=-1\u0026p.vw.viewableOpportunity=-1", + "path": "/a/h/WWEVd91PNug3Es_Gwp40Tnr0FIh9nkWQ", + "query": "cb=1481065476497\u0026pet=preroll\u0026pageUrl=http://bbc.com/\u0026eov=eov\u0026a.cluster=0\u0026a.pvt=0\u0026width=300\u0026height=250\u0026a.sdk=adaptv\u0026a.sdkType=js\u0026a.d.pageUrl=http://www.bbc.com/sport\u0026referrerUrl=http://www.bbc.com/earth/world\u0026depth=0\u0026p.vw.active=-1\u0026p.vw.area=-1\u0026p.vw.domId=-1\u0026p.vw.framerate=-1\u0026p.vw.geometric=-1\u0026p.vw.pHeight=0\u0026p.vw.psize=-1\u0026p.vw.pWidth=0\u0026p.vw.viewable=-1\u0026p.vw.viewableOpportunity=-1", + "scheme": "http" + } + }, + { + "@timestamp": "2016-12-02T18:26:43.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 1594715, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "malware", + "network" + ], + "code": "16002", + "kind": "alert", + "original": "device=\"SFW\" date=2016-12-02 time=18:26:43 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"None\" category_type=\"\" url=\"http://floater.baldrys.ca/badb.exe\" contenttype=\"application/octet-stream\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.13 protocol=\"TCP\" src_port=54110 dst_port=80 sent_bytes=0 recv_bytes=1594715 domain=floater.baldrys.ca exceptions= activityname=\"\" reason=\"pending\"", + "outcome": "success", + "reason": "pending", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 1594715, + "community_id": "1:A533V8KpijZTUOuXt+PhEWpnluA=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220", + "67.43.156.13" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "category": "None", + "contenttype": "application/octet-stream", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050902616002", + "log_subtype": "Denied", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 54110, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca", + "extension": "exe", + "full": "http://floater.baldrys.ca/badb.exe", + "original": "http://floater.baldrys.ca/badb.exe", + "path": "/badb.exe", + "scheme": "http" + } + }, + { + "@timestamp": "2016-12-02T19:30:33.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 0, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "malware", + "network" + ], + "code": "16002", + "kind": "alert", + "original": "device=\"SFW\" date=2016-12-02 time=19:30:33 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=14 category=\"Financial Services\" category_type=\"Unproductive\" url=\"https://www.vancity.com/\" contenttype=\"\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.15 protocol=\"TCP\" src_port=60444 dst_port=443 sent_bytes=0 recv_bytes=0 domain=www.vancity.com exceptions= activityname=\" Finance \u0026 Investing\" reason=\"\"", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:t+d8o1s7+zccNjNhSJFb7vVZtvU=", + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "www.vancity.com" + ], + "ip": [ + "192.168.73.220", + "67.43.156.15" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "activityname": " Finance \u0026 Investing", + "category": "Financial Services", + "category_type": "Unproductive", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "14", + "log_component": "HTTP", + "log_id": "050902616002", + "log_subtype": "Denied", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 60444, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.vancity.com", + "full": "https://www.vancity.com/", + "original": "https://www.vancity.com/", + "path": "/", + "scheme": "https" + } + }, + { + "@timestamp": "2016-12-02T18:50:20.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 0, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "warned", + "category": [ + "network" + ], + "code": "16005", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" src_ip=192.168.73.220 dst_ip=67.43.156.15 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\"Search\" reason=\"\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:zyuvJIqDyUnbsrn8426RPB8ZUn4=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "www.google.com" + ], + "ip": [ + "192.168.73.220", + "67.43.156.15" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "activityname": "Search", + "category": "Search Engines", + "category_type": "Acceptable", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050927616005", + "log_subtype": "Warned", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 37832, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google.com", + "full": "http://www.google.com/", + "original": "http://www.google.com/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2016-12-02T18:50:22.000Z", + "destination": { + "bytes": 619, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "16006", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" src_ip=192.168.73.220 dst_ip=81.2.69.144 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www. google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "outcome": "success", + "reason": "not eligible", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 619, + "community_id": "1:uVZcGVWwRzhh9dvIsXBbFt+6jCM=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "www.google.ca" + ], + "ip": [ + "192.168.73.220", + "81.2.69.144" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "activityname": "Search", + "category": "Search Engines", + "category_type": "Acceptable", + "contenttype": "text/html", + "device": "SFW", + "device_name": "SFVUNL", + "fw_rule_id": "2", + "iap": "13", + "log_component": "HTTP", + "log_id": "050901616006", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "priority": "Information" + } + }, + "source": { + "bytes": 0, + "ip": "192.168.73.220", + "port": 46322, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.google.ca", + "full": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "original": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "path": "/", + "query": "gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "scheme": "http" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log new file mode 100644 index 00000000000..c8fd3ff7692 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log @@ -0,0 +1 @@ +device_name="SF01V" device_id=SFDemo-c45b327 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa.astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log-expected.json new file mode 100644 index 00000000000..9a5ace69cba --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-content-filtering-web-content-policy.log-expected.json @@ -0,0 +1,66 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "alert", + "category": [ + "network" + ], + "code": "16010", + "kind": "event", + "original": "device_name=\"SF01V\" device_id=SFDemo-c45b327 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa.astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "outcome": "success", + "severity": 1 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "alert" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-c45b327", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.108.108.49" + ] + }, + "sophos": { + "xg": { + "action": "Deny", + "context_match": "Not", + "context_prefix": "blah blah hello ", + "context_suffix": " hello blah ", + "device_name": "SF01V", + "dictionary_name": "complicated_Custom", + "direction": "in", + "file_name": "cgi_echo.pl", + "log_component": "Web Content Policy", + "log_id": "058420116010", + "log_subtype": "Alert", + "log_type": "Content Filtering", + "site_category": "Information Technology", + "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "user": "gi123456", + "website": "ta-web-static-testing.qa.astaro.de" + } + }, + "source": { + "ip": "10.108.108.49" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log new file mode 100644 index 00000000000..046e7038bfb --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log @@ -0,0 +1,16 @@ +device="SFW" date=2017-01-31 time=14:16:19 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024- P29PUA log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=2 policy_type=2 user_name="gaurav" user_gp="Open Group" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Youtube Video Streaming" application_risk=3 application_technology="Browser Based" application_category="Streaming Media" in_interface="PortA" out_interface="PortB" src_mac=00:00:00:00:00:00 src_ip=10.198.47.71 src_country_code=R1 dst_ip=81.2.69.143 dst_country_code=USA protocol="UDP" src_port=59859 dst_port=53 sent_pkts=1 recv_pkts=1 sent_bytes=77 recv_bytes=105 tran_src_ip=81.2.69.144 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="185246656" vconnid="" hb_health="No Heartbeat" +device="SFW" date=2018-05-30 time=13:14:26 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2.531" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature +device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +device="SFW" date=2018-05-30 time=17:55:09 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=018202500004 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Denied" status="Deny" priority=Notice duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=00:1a:8c:50:6a:8c src_ip=216.160.83.61 src_country_code= dst_ip=10.198.232.48 dst_country_code= protocol="ICMP" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="1084482152" vconnid="" hb_health=" No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-05-30 time=18:03:43 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=00:1a:8c:50:6a:8c src_ip=172.29.250.33 src_country_code= dst_ip=10.198.232.48 dst_country_code= protocol="ICMP" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="14310965" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby="Signature" +device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-05-30 time=15:12:45 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011802605101 log_type="Firewall" log_component="IPMAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.15 src_country_code= dst_ip=216.160.83.57 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +device="SFW" date=2018-05-30 time=14:04:25 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011902605151 log_type="Firewall" log_component="IP Spoof" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=169.254.234.5 src_country_code= dst_ip=127.0.0.1 dst_country_code= protocol="ICMP" icmp_type=0 icmp_code=0 +device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=" LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log-expected.json new file mode 100644 index 00000000000..cdaae1bdb66 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-firewall.log-expected.json @@ -0,0 +1,1704 @@ +{ + "expected": [ + { + "@timestamp": "2017-01-31T14:16:19.000Z", + "destination": { + "bytes": 105, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143", + "nat": { + "port": 0 + }, + "packets": 1, + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "00001", + "duration": 30000000000, + "end": "2017-01-31T14:16:49.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2017-01-31 time=14:16:19 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024- P29PUA log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=30 fw_rule_id=2 policy_type=2 user_name=\"gaurav\" user_gp=\"Open Group\" iap=1 ips_policy_id=0 appfilter_policy_id=1 application=\"Youtube Video Streaming\" application_risk=3 application_technology=\"Browser Based\" application_category=\"Streaming Media\" in_interface=\"PortA\" out_interface=\"PortB\" src_mac=00:00:00:00:00:00 src_ip=10.198.47.71 src_country_code=R1 dst_ip=81.2.69.143 dst_country_code=USA protocol=\"UDP\" src_port=59859 dst_port=53 sent_pkts=1 recv_pkts=1 sent_bytes=77 recv_bytes=105 tran_src_ip=81.2.69.144 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"185246656\" vconnid=\"\" hb_health=\"No Heartbeat\"", + "outcome": "success", + "severity": 6, + "start": "2017-01-31T14:16:19.000Z", + "type": [ + "end", + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 182, + "community_id": "1:lYJim7EEUckhyqriZSUn2kEcAwY=", + "direction": "outbound", + "packets": 2, + "protocol": "youtube video streaming", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "PortB" + }, + "zone": "WAN" + }, + "ingress": { + "interface": { + "name": "PortA" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C44313350024- P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.47.71", + "81.2.69.143", + "81.2.69.144" + ], + "user": [ + "gaurav" + ] + }, + "rule": { + "id": "2", + "ruleset": "2" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "1", + "application_category": "Streaming Media", + "application_risk": "3", + "application_technology": "Browser Based", + "connevent": "Stop", + "connid": "185246656", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "USA", + "dst_zone_type": "WAN", + "hb_health": "No Heartbeat", + "iap": "1", + "ips_policy_id": "0", + "log_component": "Firewall Rule", + "log_id": "010101600001", + "log_subtype": "Allowed", + "log_type": "Firewall", + "priority": "Information", + "src_country_code": "R1", + "src_zone_type": "LAN", + "status": "Allow" + } + }, + "source": { + "bytes": 77, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "10.198.47.71", + "mac": "00-00-00-00-00-00", + "nat": { + "ip": "81.2.69.144", + "port": 0 + }, + "packets": 1, + "port": 59859, + "user": { + "group": { + "name": "Open Group" + }, + "name": "gaurav" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T13:14:26.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 0, + "ip": "1.128.3.4", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "00002", + "duration": 0, + "end": "2018-05-30T13:14:26.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=13:14:26 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2.531\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T13:14:26.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:dx7kJlo3wECJdR37qq2A64L5Iuo=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2.531" + } + }, + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.32.19", + "1.128.3.4" + ] + }, + "rule": { + "id": "1", + "ruleset": "1" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "2", + "icmp_code": "0", + "icmp_type": "8", + "ips_policy_id": "0", + "log_component": "Firewall Rule", + "log_id": "010102600002", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.32.19", + "mac": "B8-97-5A-5B-0F-FD", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000Z", + "destination": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "intrusion_detection", + "network" + ], + "code": "00003", + "duration": 0, + "end": "2018-06-01T10:55:41.000Z", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "outcome": "success", + "severity": 6, + "start": "2018-06-01T10:55:41.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:Sor11fKmsq4B9ppdtSRcf8VuJ2A=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port3.611" + } + }, + "product": "XG", + "serial_number": "SFDemo-9a04c43", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.37.57", + "175.16.199.1" + ] + }, + "rule": { + "id": "16", + "ruleset": "1" + }, + "sophos": { + "xg": { + "app_is_cloud": "0", + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG310", + "hb_health": "Red", + "iap": "2", + "icmp_code": "0", + "icmp_type": "8", + "ips_policy_id": "0", + "log_component": "Heartbeat", + "log_id": "016602600003", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.37.57", + "mac": "08-00-27-4C-49-E3", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T17:55:09.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.232.48", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "intrusion_detection", + "network" + ], + "code": "00004", + "duration": 0, + "end": "2018-05-30T17:55:09.000Z", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-30 time=17:55:09 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=018202500004 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Denied\" status=\"Deny\" priority=Notice duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=00:1a:8c:50:6a:8c src_ip=216.160.83.61 src_country_code= dst_ip=10.198.232.48 dst_country_code= protocol=\"ICMP\" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"1084482152\" vconnid=\"\" hb_health=\" No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 5, + "start": "2018-05-30T17:55:09.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "notification" + }, + "network": { + "bytes": 0, + "community_id": "1:qJ07DCea4ghp9BOH8VwBZhcsIos=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2.531" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "216.160.83.61", + "10.198.232.48" + ] + }, + "rule": { + "id": "1", + "ruleset": "1" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "connid": "1084482152", + "device": "SFW", + "device_name": "XG125w", + "hb_health": " No Heartbeat", + "iap": "0", + "icmp_code": "0", + "icmp_type": "11", + "ips_policy_id": "0", + "log_component": "ICMP ERROR MESSAGE", + "log_id": "018202500004", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Notice", + "status": "Deny" + } + }, + "source": { + "as": { + "number": 209 + }, + "bytes": 0, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "00-1A-8C-50-6A-8C", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T18:03:43.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.232.48", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "00005", + "duration": 0, + "end": "2018-05-30T18:03:43.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=18:03:43 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=00:1a:8c:50:6a:8c src_ip=172.29.250.33 src_country_code= dst_ip=10.198.232.48 dst_country_code= protocol=\"ICMP\" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"14310965\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 5, + "start": "2018-05-30T18:03:43.000Z", + "type": [ + "start", + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "notification" + }, + "network": { + "bytes": 0, + "community_id": "1:ufMwC8WphNOce1zUhLjBH5FUI2A=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2.531" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "172.29.250.33", + "10.198.232.48" + ] + }, + "rule": { + "id": "1", + "ruleset": "1" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "connevent": "Interim", + "connid": "14310965", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "icmp_code": "0", + "icmp_type": "11", + "ips_policy_id": "0", + "log_component": "ICMP ERROR MESSAGE", + "log_id": "018201500005", + "log_subtype": "Allowed", + "log_type": "Firewall", + "priority": "Notice", + "status": "Allow" + } + }, + "source": { + "bytes": 0, + "ip": "172.29.250.33", + "mac": "00-1A-8C-50-6A-8C", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.32.19", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "00006", + "duration": 0, + "end": "2018-06-01T10:57:55.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "outcome": "success", + "severity": 6, + "start": "2018-06-01T10:57:55.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:GxdOoNc153FG9L1WhGZ4edd++14=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port3.611" + } + }, + "product": "XG", + "serial_number": "SFDemo-9a04c43", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.37.57", + "10.198.32.19" + ] + }, + "rule": { + "id": "16", + "ruleset": "1" + }, + "sophos": { + "xg": { + "app_is_cloud": "0", + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG310", + "hb_health": "Red", + "iap": "2", + "icmp_code": "0", + "icmp_type": "8", + "ips_policy_id": "0", + "log_component": "Heartbeat", + "log_id": "016602600006", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.37.57", + "mac": "08-00-27-4C-49-E3", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 0, + "ip": "1.128.3.4", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "01001", + "duration": 0, + "end": "2018-05-30T13:26:37.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T13:26:37.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "packets": 0, + "transport": "udp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.32.19", + "1.128.3.4" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "Invalid Traffic", + "log_id": "010202601001", + "log_subtype": "Denied", + "log_type": "Firewall", + "message": "Invalid UDP destination.", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.32.19", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 1353 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000Z", + "destination": { + "bytes": 0, + "ip": "0.0.0.0", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "01301", + "duration": 0, + "end": "2018-06-04T17:20:24.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-06-04T17:20:24.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "packets": 0, + "transport": "0" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "0.0.0.0" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "Fragmented Traffic", + "log_id": "011402601301", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "0.0.0.0", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.39.255", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 137 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "02002", + "duration": 0, + "end": "2018-05-30T14:01:32.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T14:01:32.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:rWQJGdqTu4ERAOCXL2JYQ16npW4=", + "packets": 0, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2.611" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.38.184", + "10.198.39.255" + ] + }, + "rule": { + "id": "2", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "Appliance Access", + "log_id": "010302602002", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.38.184", + "mac": "C8-5B-76-AB-72-D3", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 137 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.32.48", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 22 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "intrusion_detection", + "network" + ], + "code": "03001", + "duration": 0, + "end": "2018-05-30T14:17:17.000Z", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 4, + "start": "2018-05-30T14:17:17.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "bytes": 0, + "community_id": "1:ebW+n2XvlKyynA6t/MupXckUzG4=", + "packets": 0, + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.32.19", + "10.198.32.48" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "DoS Attack", + "log_id": "010402403001", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Warning", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.32.19", + "mac": "B8-97-5A-5B-0F-FD", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 41960 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000Z", + "destination": { + "bytes": 0, + "ip": "10.198.36.48", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "04001", + "duration": 0, + "end": "2018-06-05T14:30:31.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-06-05T14:30:31.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:REw7Fd5sFF/Vbt+C9BommT9XGDQ=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.37.23", + "10.198.36.48" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": " Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "icmp_code": "1", + "icmp_type": "5", + "ips_policy_id": "0", + "log_component": "ICMP Redirection", + "log_id": "010502604001", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.37.23", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 0, + "ip": "1.128.3.4", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "intrusion_detection", + "network" + ], + "code": "05001", + "duration": 0, + "end": "2018-05-31T17:05:14.000Z", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=1.128.3.4 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-05-31T17:05:14.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:d1AF6puk61t38ufI/gIY9HJv/Xw=", + "packets": 0, + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.12.19", + "1.128.3.4" + ] + }, + "rule": { + "id": "1", + "ruleset": "1" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": " Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "Source Routed", + "log_id": "010602605001", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.12.19", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 1571 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000Z", + "destination": { + "bytes": 0, + "ip": "ff02::1:2", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 547 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "05051", + "duration": 0, + "end": "2018-05-30T15:09:51.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T15:09:51.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:fzZxl6nY1aZerLCg1u8MwroiREk=", + "packets": 0, + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port2.531" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "ips_policy_id": "0", + "log_component": "MAC Filter", + "log_id": "011702605051", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "fe80::59f5:3ce8:c98e:5062", + "mac": "1E-3A-5A-5B-23-AB", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 546 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T15:12:45.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 0, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "05101", + "duration": 0, + "end": "2018-05-30T15:12:45.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2018-05-30 time=15:12:45 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011802605101 log_type=\"Firewall\" log_component=\"IPMAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.15 src_country_code= dst_ip=216.160.83.57 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T15:12:45.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:fdV0lXy84V2+bFCyBYmUyiyePtk=", + "packets": 0, + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.198.32.15", + "216.160.83.57" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "device": "SFW", + "device_name": "XG125w", + "hb_health": "No Heartbeat", + "iap": "0", + "icmp_code": "0", + "icmp_type": "8", + "ips_policy_id": "0", + "log_component": "IPMAC Filter", + "log_id": "011802605101", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "bytes": 0, + "ip": "10.198.32.15", + "mac": "B8-97-5A-5B-0F-FD", + "nat": { + "port": 0 + }, + "packets": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T14:04:25.000Z", + "destination": { + "ip": "127.0.0.1" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "intrusion_detection", + "network" + ], + "code": "05151", + "duration": 0, + "end": "2018-05-30T14:04:25.000Z", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-30 time=14:04:25 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011902605151 log_type=\"Firewall\" log_component=\"IP Spoof\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=169.254.234.5 src_country_code= dst_ip=127.0.0.1 dst_country_code= protocol=\"ICMP\" icmp_type=0 icmp_code=0", + "outcome": "success", + "severity": 6, + "start": "2018-05-30T14:04:25.000Z", + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "community_id": "1:MePwSQsHDt/OJu9hRQA+9BvVRdM=", + "transport": "icmp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-763180a", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "169.254.234.5", + "127.0.0.1" + ] + }, + "rule": { + "id": "0", + "ruleset": "0" + }, + "sophos": { + "xg": { + "appfilter_policy_id": "0", + "application_risk": "0", + "device": "SFW", + "device_name": "XG125w", + "iap": "0", + "icmp_code": "0", + "icmp_type": "0", + "ips_policy_id": "0", + "log_component": "IP Spoof", + "log_id": "011902605151", + "log_subtype": "Denied", + "log_type": "Firewall", + "priority": "Information", + "status": "Deny" + } + }, + "source": { + "ip": "169.254.234.5" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-06-05T03:45:23.000Z", + "destination": { + "bytes": 0, + "ip": "10.8.142.181", + "mac": "00-50-56-99-3D-AC", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "00001", + "duration": 0, + "end": "2020-06-05T03:45:23.000Z", + "kind": "event", + "original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\" LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", + "outcome": "success", + "severity": 6, + "start": "2020-06-05T03:45:23.000Z", + "type": [ + "start", + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 0, + "community_id": "1:2Z/T6XpjT4zBcdXNDaLCpNp/2uo=", + "direction": "outbound", + "packets": 0, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port1" + }, + "zone": "WAN" + }, + "ingress": { + "interface": { + "name": "Port2" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "SFDemo-ta-vm-55", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.146.13.30", + "10.8.142.181", + "10.8.13.110" + ] + }, + "rule": { + "id": "5", + "ruleset": "1" + }, + "sophos": { + "xg": { + "app_is_cloud": "0", + "appfilter_policy_id": "0", + "application_risk": "0", + "appresolvedby": "Signature", + "connevent": "Start", + "connid": "2674291981", + "device": "SFW", + "device_name": "SF01V", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "hb_health": "No Heartbeat", + "iap": "13", + "ips_policy_id": "0", + "log_component": "Firewall Rule", + "log_id": "010101600001", + "log_subtype": "Allowed", + "log_type": "Firewall", + "priority": "Information", + "src_zone_type": " LAN", + "status": "Allow" + } + }, + "source": { + "bytes": 0, + "ip": "10.146.13.30", + "mac": "00-50-56-99-51-94", + "nat": { + "ip": "10.8.13.110", + "port": 0 + }, + "packets": 0, + "port": 45294 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log new file mode 100644 index 00000000000..130461f9ffb --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log @@ -0,0 +1,4 @@ +device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +device="SFW" date=2018-05-23 time=15:49:38 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020803407001 log_type="IDP" log_component="Signatures" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=584 signature_msg="PROTOCOL-RPC portmap rusers request UDP" classification="Decode of an RPC Query" rule_priority=5 src_ip=10.0.1.39 src_country_code=R1 dst_ip=10.1.0.42 dst_country_code=R1 protocol="UDP" src_port=21378 dst_port=111 platform="BSD,Linux,Mac,Solaris,Unix" category="Operating System and Services" target="Server" +device="SFW" date=2017-02-01 time=12:51:35 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024- P29PUA log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" status="" priority=Warning idp_policy_id=2 fw_rule_id=1 user_name="" signature_id=1151209031 signature_msg="Autodesk Design Review GIF GlobalColorTable DataSubBlock Buffer Overflow" classification="Unknown" rule_priority=3 src_ip=81.2.69.145 src_country_code=HKG dst_ip=10.198.47.71 dst_country_code=R1 protocol="TCP" src_port=80 dst_port=40575 platform=" Windows" category="Application and Software" target="Client" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log-expected.json new file mode 100644 index 00000000000..7b377fb5436 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-idp.log-expected.json @@ -0,0 +1,344 @@ +{ + "expected": [ + { + "@timestamp": "2018-05-23T16:20:34.000Z", + "destination": { + "ip": "10.1.1.234", + "port": 25 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "detect", + "category": [ + "intrusion_detection", + "network" + ], + "code": "06001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "outcome": "success", + "severity": 4, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "community_id": "1:U2yQKH6TWkggtH81oE8Yw/5bA30=", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-f64dd6be", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.0.0.168", + "10.1.1.234" + ] + }, + "rule": { + "category": "A Network Trojan was detected", + "id": "26022", + "name": "FILE-PDF EmbeddedFile contained within a PDF" + }, + "sophos": { + "xg": { + "category": "Malware Communication", + "device": "SFW", + "device_name": "XG750", + "dst_country_code": "R1", + "fw_rule_id": "2", + "idp_policy_id": "1", + "log_component": "Anomaly", + "log_id": "020703406001", + "log_subtype": "Detect", + "log_type": "IDP", + "platform": "Windows", + "priority": "Warning", + "rule_priority": "1", + "src_country_code": "R1", + "target": "Server" + } + }, + "source": { + "ip": "10.0.0.168", + "port": 28938 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000Z", + "destination": { + "ip": "10.1.0.115", + "port": 25 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "drop", + "category": [ + "intrusion_detection", + "network" + ], + "code": "06002", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "outcome": "success", + "severity": 4, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "community_id": "1:ZiG8ga1b+BkNsFyuxbnjyDn2xjQ=", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-f64dd6be", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.0.1.31", + "10.1.0.115" + ] + }, + "rule": { + "category": "A Network Trojan was detected", + "id": "26022", + "name": "FILE-PDF EmbeddedFile contained within a PDF" + }, + "sophos": { + "xg": { + "category": "Malware Communication", + "device": "SFW", + "device_name": "XG750", + "dst_country_code": "R1", + "fw_rule_id": "2", + "idp_policy_id": "1", + "log_component": "Anomaly", + "log_id": "020704406002", + "log_subtype": "Drop", + "log_type": "IDP", + "platform": "Windows", + "priority": "Warning", + "rule_priority": "1", + "src_country_code": "R1", + "target": "Server" + } + }, + "source": { + "ip": "10.0.1.31", + "port": 40140 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-23T15:49:38.000Z", + "destination": { + "ip": "10.1.0.42", + "port": 111 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "detect", + "category": [ + "intrusion_detection", + "network" + ], + "code": "07001", + "kind": "alert", + "original": "device=\"SFW\" date=2018-05-23 time=15:49:38 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020803407001 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=584 signature_msg=\"PROTOCOL-RPC portmap rusers request UDP\" classification=\"Decode of an RPC Query\" rule_priority=5 src_ip=10.0.1.39 src_country_code=R1 dst_ip=10.1.0.42 dst_country_code=R1 protocol=\"UDP\" src_port=21378 dst_port=111 platform=\"BSD,Linux,Mac,Solaris,Unix\" category=\"Operating System and Services\" target=\"Server\"", + "outcome": "success", + "severity": 4, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "community_id": "1:2f9LkOfa+shAInkup2Av8GQz/s8=", + "transport": "udp" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-f64dd6be", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "10.0.1.39", + "10.1.0.42" + ] + }, + "rule": { + "category": "Decode of an RPC Query", + "id": "584", + "name": "PROTOCOL-RPC portmap rusers request UDP" + }, + "sophos": { + "xg": { + "category": "Operating System and Services", + "device": "SFW", + "device_name": "XG750", + "dst_country_code": "R1", + "fw_rule_id": "2", + "idp_policy_id": "1", + "log_component": "Signatures", + "log_id": "020803407001", + "log_subtype": "Detect", + "log_type": "IDP", + "platform": "BSD,Linux,Mac,Solaris,Unix", + "priority": "Warning", + "rule_priority": "5", + "src_country_code": "R1", + "target": "Server" + } + }, + "source": { + "ip": "10.0.1.39", + "port": 21378 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-02-01T12:51:35.000Z", + "destination": { + "ip": "10.198.47.71", + "port": 40575 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "drop", + "category": [ + "intrusion_detection", + "network" + ], + "code": "07002", + "kind": "alert", + "original": "device=\"SFW\" date=2017-02-01 time=12:51:35 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024- P29PUA log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" status=\"\" priority=Warning idp_policy_id=2 fw_rule_id=1 user_name=\"\" signature_id=1151209031 signature_msg=\"Autodesk Design Review GIF GlobalColorTable DataSubBlock Buffer Overflow\" classification=\"Unknown\" rule_priority=3 src_ip=81.2.69.145 src_country_code=HKG dst_ip=10.198.47.71 dst_country_code=R1 protocol=\"TCP\" src_port=80 dst_port=40575 platform=\" Windows\" category=\"Application and Software\" target=\"Client\"", + "outcome": "success", + "severity": 4, + "type": [ + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "warning" + }, + "network": { + "community_id": "1:b8cwgXEoZZVR2PdphquxalsImxQ=", + "transport": "tcp" + }, + "observer": { + "product": "XG", + "serial_number": "C44313350024- P29PUA", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "81.2.69.145", + "10.198.47.71" + ] + }, + "rule": { + "category": "Unknown", + "id": "1151209031", + "name": "Autodesk Design Review GIF GlobalColorTable DataSubBlock Buffer Overflow" + }, + "sophos": { + "xg": { + "category": "Application and Software", + "device": "SFW", + "device_name": "CR750iNG-XP", + "dst_country_code": "R1", + "fw_rule_id": "1", + "idp_policy_id": "2", + "log_component": "Signatures", + "log_id": "020804407002", + "log_subtype": "Drop", + "log_type": "IDP", + "platform": " Windows", + "priority": "Warning", + "rule_priority": "3", + "src_country_code": "HKG", + "target": "Client" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.145", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log new file mode 100644 index 00000000000..da4d6052d60 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log @@ -0,0 +1,5 @@ +device="SFW" date=2016-12-02 time=18:27:55 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +device="SFW" date=2016-12-02 time=18:31:50 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="rich" src_ip=192.168.73.220 filename="test7.exe" filetype="application/octet-stream" filesize=871700 sha1sum="7769b038037bc8e5c6373e92f99aa2324eee827c" source="floater.baldrys.ca" reason="cloud clean" destination="" subject="" +device="SFW" date=2018-06-21 time=23:43:25 timezone="CEST" device_name="SG650" device_id=SFDemo-058196d log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="ta-client" src_ip=10.146.13.251 filename="sandbox_dirty_no_cache" filetype="text/plain" filesize=266541 sha1sum="dd0bf29e56e4433e7dcffbe35f4003b1f251ce9d" source="ta-web-static.qa.astaro.de" reason="cached malicious" destination="" subject="" +device="SFW" date=2016-12-02 time=18:27:55 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="rich" src_ip=192.168.73.220 filename="badb.exe" filetype="application/octet-stream" filesize=1634319 sha1sum="9379f98b00017db44f3c6120bde7bdcd680296cb" source="floater.baldrys.ca" reason="pending" destination="" subject="" +device="SFW" date=2016-12-02 time=18:27:55 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="rich" src_ip=192.168.73.220 filename="badb.exe" filetype="application/octet-stream" filesize=1634319 sha1sum="2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" source="floater.baldrys.ca" reason="pending" destination="" subject="" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log-expected.json new file mode 100644 index 00000000000..c637b506396 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-sandstorm.log-expected.json @@ -0,0 +1,393 @@ +{ + "expected": [ + { + "@timestamp": "2016-12-02T18:27:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Allowed", + "category": [ + "network" + ], + "code": "18041", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:27:55 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "outcome": "success", + "reason": "eligible", + "severity": 6, + "type": [ + "allowed", + "end", + "connection" + ] + }, + "file": { + "size": 0 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "log_component": "Web", + "log_id": "136501618041", + "log_subtype": "Allowed", + "log_type": "Sandbox", + "priority": "Information" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2016-12-02T18:31:50.000Z", + "destination": { + "domain": "floater.baldrys.ca" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Allowed", + "category": [ + "network" + ], + "code": "18041", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:31:50 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"rich\" src_ip=192.168.73.220 filename=\"test7.exe\" filetype=\"application/octet-stream\" filesize=871700 sha1sum=\"7769b038037bc8e5c6373e92f99aa2324eee827c\" source=\"floater.baldrys.ca\" reason=\"cloud clean\" destination=\"\" subject=\"\"", + "outcome": "success", + "reason": "cloud clean", + "severity": 6, + "type": [ + "allowed" + ] + }, + "file": { + "hash": { + "sha1": "7769b038037bc8e5c6373e92f99aa2324eee827c" + }, + "mime_type": "application/octet-stream", + "name": "test7.exe", + "size": 871700 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hash": [ + "7769b038037bc8e5c6373e92f99aa2324eee827c" + ], + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "log_component": "Web", + "log_id": "136501618041", + "log_subtype": "Allowed", + "log_type": "Sandbox", + "priority": "Information" + } + }, + "source": { + "ip": "192.168.73.220", + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca" + } + }, + { + "@timestamp": "2018-06-21T23:43:25.000Z", + "destination": { + "domain": "ta-web-static.qa.astaro.de" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Denied", + "category": [ + "malware", + "network" + ], + "code": "18042", + "kind": "alert", + "original": "device=\"SFW\" date=2018-06-21 time=23:43:25 timezone=\"CEST\" device_name=\"SG650\" device_id=SFDemo-058196d log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"ta-client\" src_ip=10.146.13.251 filename=\"sandbox_dirty_no_cache\" filetype=\"text/plain\" filesize=266541 sha1sum=\"dd0bf29e56e4433e7dcffbe35f4003b1f251ce9d\" source=\"ta-web-static.qa.astaro.de\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "outcome": "success", + "reason": "cached malicious", + "severity": 2, + "type": [ + "denied", + "connection" + ] + }, + "file": { + "hash": { + "sha1": "dd0bf29e56e4433e7dcffbe35f4003b1f251ce9d" + }, + "mime_type": "text/plain", + "name": "sandbox_dirty_no_cache", + "size": 266541 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "critical" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-058196d", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hash": [ + "dd0bf29e56e4433e7dcffbe35f4003b1f251ce9d" + ], + "hosts": [ + "defaulttest.local", + "ta-web-static.qa.astaro.de" + ], + "ip": [ + "10.146.13.251" + ], + "user": [ + "ta-client" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SG650", + "log_component": "Web", + "log_id": "136502218042", + "log_subtype": "Denied", + "log_type": "Sandbox", + "priority": "Critical" + } + }, + "source": { + "ip": "10.146.13.251", + "user": { + "name": "ta-client" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "ta-web-static.qa.astaro.de" + } + }, + { + "@timestamp": "2016-12-02T18:27:55.000Z", + "destination": { + "domain": "floater.baldrys.ca" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Pending", + "category": [ + "network" + ], + "code": "18043", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:27:55 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"rich\" src_ip=192.168.73.220 filename=\"badb.exe\" filetype=\"application/octet-stream\" filesize=1634319 sha1sum=\"9379f98b00017db44f3c6120bde7bdcd680296cb\" source=\"floater.baldrys.ca\" reason=\"pending\" destination=\"\" subject=\"\"", + "outcome": "success", + "reason": "pending", + "severity": 6, + "type": [ + "start", + "connection" + ] + }, + "file": { + "hash": { + "sha1": "9379f98b00017db44f3c6120bde7bdcd680296cb" + }, + "mime_type": "application/octet-stream", + "name": "badb.exe", + "size": 1634319 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hash": [ + "9379f98b00017db44f3c6120bde7bdcd680296cb" + ], + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "log_component": "Web", + "log_id": "136528618043", + "log_subtype": "Pending", + "log_type": "Sandbox", + "priority": "Information" + } + }, + "source": { + "ip": "192.168.73.220", + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca" + } + }, + { + "@timestamp": "2016-12-02T18:27:55.000Z", + "destination": { + "domain": "floater.baldrys.ca" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Pending", + "category": [ + "network" + ], + "code": "18043", + "kind": "event", + "original": "device=\"SFW\" date=2016-12-02 time=18:27:55 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"rich\" src_ip=192.168.73.220 filename=\"badb.exe\" filetype=\"application/octet-stream\" filesize=1634319 sha1sum=\"2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae\" source=\"floater.baldrys.ca\" reason=\"pending\" destination=\"\" subject=\"\"", + "outcome": "success", + "reason": "pending", + "severity": 6, + "type": [ + "start", + "connection" + ] + }, + "file": { + "hash": { + "sha256": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + }, + "mime_type": "application/octet-stream", + "name": "badb.exe", + "size": 1634319 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "C01001K234RXPA1", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hash": [ + "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" + ], + "hosts": [ + "defaulttest.local", + "floater.baldrys.ca" + ], + "ip": [ + "192.168.73.220" + ], + "user": [ + "rich" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SFVUNL", + "log_component": "Web", + "log_id": "136528618043", + "log_subtype": "Pending", + "log_type": "Sandbox", + "priority": "Information" + } + }, + "source": { + "ip": "192.168.73.220", + "user": { + "name": "rich" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "floater.baldrys.ca" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log new file mode 100644 index 00000000000..ed72ceda8c9 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log @@ -0,0 +1,5 @@ +device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127626618031 log_type="System Health" log_component="CPU" log_subtype="Usage" priority=Information system=1.29% user=7.60% idle=91.11% +device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127726618031 log_type="System Health" log_component="Memory" log_subtype="Usage" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120 +device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=123526618031 log_type="System Health" log_component="Interface" log_subtype="Usage" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=2.03 receivederrors=0.00 transmitteddrops=0.00 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00 +device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127826618031 log_type="System Health" log_component="Disk" log_subtype="Usage" priority=Information Configuration=13.00% Reports=11.00% Signature=11.00% Temp=4.00% +device="SFW" date=2018-06-05 time=15:10:00 timezone="CEST" device_name="SF01V" device_id=SFDemo-fe75a9f log_id=127926618031 log_type="System Health" log_component="Live User" log_subtype="Usage" priority=Information users=0 \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log-expected.json new file mode 100644 index 00000000000..c6c4f46c33d --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-systemhealth.log-expected.json @@ -0,0 +1,239 @@ +{ + "expected": [ + { + "@timestamp": "2018-06-05T15:10:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18031", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127626618031 log_type=\"System Health\" log_component=\"CPU\" log_subtype=\"Usage\" priority=Information system=1.29% user=7.60% idle=91.11%", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-fe75a9f", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SF01V", + "idle_cpu": 91.11, + "log_component": "CPU", + "log_id": "127626618031", + "log_subtype": "Usage", + "log_type": "System Health", + "priority": "Information", + "system_cpu": 1.29, + "user_cpu": 7.6 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T15:10:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18031", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127726618031 log_type=\"System Health\" log_component=\"Memory\" log_subtype=\"Usage\" priority=Information unit=byte total_memory=2100191232 free=578650112 used=1521541120", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-fe75a9f", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SF01V", + "free": 578650112, + "log_component": "Memory", + "log_id": "127726618031", + "log_subtype": "Usage", + "log_type": "System Health", + "priority": "Information", + "total_memory": 2100191232, + "unit": "byte", + "used": 1521541120 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T15:10:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18031", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=123526618031 log_type=\"System Health\" log_component=\"Interface\" log_subtype=\"Usage\" priority=Information interface=Port1 receivedkbits=4.55 transmittedkbits=2.03 receivederrors=0.00 transmitteddrops=0.00 collisions=0.00 transmittederrors=0.00 receiveddrops=0.00", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-fe75a9f", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "collisions": 0.0, + "device": "SFW", + "device_name": "SF01V", + "interface": "Port1", + "log_component": "Interface", + "log_id": "123526618031", + "log_subtype": "Usage", + "log_type": "System Health", + "priority": "Information", + "receiveddrops": 0.0, + "receivederrors": "0.00", + "receivedkbits": 4.55, + "transmitteddrops": 0.0, + "transmittederrors": "0.00", + "transmittedkbits": 2.03 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T15:10:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18031", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127826618031 log_type=\"System Health\" log_component=\"Disk\" log_subtype=\"Usage\" priority=Information Configuration=13.00% Reports=11.00% Signature=11.00% Temp=4.00%", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-fe75a9f", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "configuration": 13.0, + "device": "SFW", + "device_name": "SF01V", + "log_component": "Disk", + "log_id": "127826618031", + "log_subtype": "Usage", + "log_type": "System Health", + "priority": "Information", + "reports": 11.0, + "signature": 11.0, + "temp": 4.0 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-06-05T15:10:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18031", + "kind": "event", + "original": "device=\"SFW\" date=2018-06-05 time=15:10:00 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-fe75a9f log_id=127926618031 log_type=\"System Health\" log_component=\"Live User\" log_subtype=\"Usage\" priority=Information users=0", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "SFDemo-fe75a9f", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device": "SFW", + "device_name": "SF01V", + "log_component": "Live User", + "log_id": "127926618031", + "log_subtype": "Usage", + "log_type": "System Health", + "priority": "Information", + "users": 0 + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log new file mode 100644 index 00000000000..4a33dbae2a3 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log @@ -0,0 +1,2 @@ +device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log-expected.json new file mode 100644 index 00000000000..c3b48e37f2a --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18.5-wireless.log-expected.json @@ -0,0 +1,98 @@ +{ + "expected": [ + { + "@timestamp": "2017-02-01T14:17:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18011", + "kind": "event", + "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "S110016E28BA631", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "ap": "A40024A636F7862", + "clients_conn_ssid": 2, + "device": "SFW", + "device_name": "SG115", + "log_component": "Wireless Protection", + "log_id": "106025618011", + "log_subtype": "Information", + "log_type": "Wireless Protection", + "priority": "Information", + "ssid": "SPIDIGO2015" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "18011", + "kind": "event", + "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "informational" + }, + "observer": { + "product": "XG", + "serial_number": "S110016E28BA631", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "ap": "A40024A636F7862", + "clients_conn_ssid": 3, + "device": "SFW", + "device_name": "SG115", + "log_component": "Wireless Protection", + "log_id": "106025618011", + "log_subtype": "Information", + "log_type": "Wireless Protection", + "priority": "Information", + "ssid": "SPIDIGO2015" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 8bf3c14116f..5f3dff0dfd5 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -2,14 +2,6 @@ "expected": [ { "@timestamp": "2020-05-18T14:38:48.000Z", - "client": { - "bytes": 0, - "domain": "elasticuser.com", - "port": 0, - "user": { - "email": "firewall@firewallgate.com" - } - }, "destination": { "bytes": 0, "port": 0, @@ -25,10 +17,11 @@ "category": [ "network" ], - "code": "041101618035", + "code": "18035", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", + "reason": "Email has been accepted by Device and queued for scanning.", "severity": 6, "type": [ "allowed", @@ -42,7 +35,9 @@ "level": "informational" }, "network": { - "transport": "TCP" + "bytes": 0, + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -52,16 +47,10 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "elasticuser.com" ] }, - "server": { - "bytes": 0, - "port": 0, - "user": { - "email": "Sysadmin@elasticuser.com" - } - }, "sophos": { "xg": { "av_policy_name": "None", @@ -70,14 +59,13 @@ "email_subject": "*ALERT* Sophos XG Firewall", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041101618035", "log_subtype": "Allowed", "log_type": "Anti-Spam", "mailid": "qkW2Y6-LxBk6U-vH-1590055245", "mailsize": "19728", - "message_id": "18035", "priority": "Information", "quarantine_reason": "Other", - "reason": "Email has been accepted by Device and queued for scanning.", "spamaction": "QUEUED" } }, @@ -95,27 +83,6 @@ }, { "@timestamp": "2020-05-18T14:38:49.000Z", - "client": { - "bytes": 0, - "domain": "constant-big.email", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 52742, - "user": { - "email": "telekommunikation@constant-big.email" - } - }, "destination": { "bytes": 0, "geo": { @@ -144,10 +111,11 @@ "category": [ "network" ], - "code": "041105613003", + "code": "13003", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", + "reason": "Mail is Clean.", "severity": 6, "type": [ "allowed", @@ -161,7 +129,10 @@ "level": "informational" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:7d/3uzjf495waTHySBG1PJtS3h4=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -171,29 +142,13 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "constant-big.email" + ], + "ip": [ + "175.16.199.1" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 25, - "user": { - "email": "info@pelasticuser.com" - } - }, "sophos": { "xg": { "av_policy_name": "Default", @@ -203,14 +158,13 @@ "email_subject": "Telefonservice statt Anrufbeantworter", "fw_rule_id": "22", "log_component": "SMTP", + "log_id": "041105613003", "log_subtype": "Clean", "log_type": "Anti-Spam", "mailid": "\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big", "mailsize": "13371", - "message_id": "13003", "priority": "Information", "quarantine_reason": "Other", - "reason": "Mail is Clean.", "spamaction": "Accept", "src_country_code": "USA" } @@ -242,27 +196,6 @@ }, { "@timestamp": "2020-05-18T14:38:50.000Z", - "client": { - "bytes": 0, - "domain": "17buddies.net", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 51789, - "user": { - "email": "ripxfc@17buddies.net" - } - }, "destination": { "bytes": 0, "geo": { @@ -292,10 +225,11 @@ "malware", "network" ], - "code": "041107413001", + "code": "13001", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", + "reason": "Mail detected as SPAM.", "severity": 4, "type": [ "info", @@ -310,7 +244,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:YK7dIGysD31VmEWNgT32s7vj2b8=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -320,29 +257,13 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "17buddies.net" + ], + "ip": [ + "175.16.199.1" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 25, - "user": { - "email": "hein.mueck@elasticuser.de" - } - }, "sophos": { "xg": { "av_policy_name": "Spam", @@ -352,14 +273,13 @@ "email_subject": "nimm dringend Geld", "fw_rule_id": "22", "log_component": "SMTP", + "log_id": "041107413001", "log_subtype": "Spam", "log_type": "Anti-Spam", "mailid": "\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud", "mailsize": "2025", - "message_id": "13001", "priority": "Warning", "quarantine_reason": "Spam", - "reason": "Mail detected as SPAM.", "spamaction": "Reject", "src_country_code": "BRA" } @@ -391,27 +311,6 @@ }, { "@timestamp": "2020-05-18T14:38:51.000Z", - "client": { - "bytes": 0, - "domain": "ELTOBGI.COM", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 55002, - "user": { - "email": "SHERIF.TOBGI@ELTOBGI.COM" - } - }, "destination": { "bytes": 0, "geo": { @@ -441,10 +340,11 @@ "malware", "network" ], - "code": "045908413004", + "code": "13004", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "outcome": "success", + "reason": "Sender IP address is blacklisted.", "severity": 4, "type": [ "info", @@ -459,7 +359,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:KLsRGAGT4nHkerVf6tdfFI7Er8w=", + "protocol": "smtps", + "transport": "tcp" }, "observer": { "product": "XG", @@ -469,29 +372,13 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "ELTOBGI.COM" + ], + "ip": [ + "175.16.199.1" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 25, - "user": { - "email": "info@elasticuser.com" - } - }, "sophos": { "xg": { "av_policy_name": "rule3", @@ -501,14 +388,13 @@ "email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", "fw_rule_id": "22", "log_component": "SMTPS", + "log_id": "045908413004", "log_subtype": "Probable Spam", "log_type": "Anti-Spam", "mailid": "\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e", "mailsize": "1032152", - "message_id": "13004", "priority": "Warning", "quarantine_reason": "RBL", - "reason": "Sender IP address is blacklisted.", "spamaction": "Prefix Subject", "src_country_code": "GBR" } @@ -540,15 +426,6 @@ }, { "@timestamp": "2017-01-31T18:34:41.000Z", - "client": { - "bytes": 0, - "domain": " iview.com", - "ip": "10.198.47.71", - "port": 22420, - "user": { - "email": "gaurav1@iview.com" - } - }, "destination": { "bytes": 0, "ip": "10.198.233.61", @@ -566,9 +443,9 @@ "malware", "network" ], - "code": "041113413005", + "code": "13005", "kind": "alert", - "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", "severity": 4, "type": [ @@ -584,7 +461,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:cZ39MftFvT3s1y8vN0AHxj2KZII=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -594,17 +474,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + " iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" ] }, - "server": { - "bytes": 0, - "ip": "10.198.233.61", - "port": 25, - "user": { - "email": " gaurav2@iview.com" - } - }, "sophos": { "xg": { "av_policy_name": "Gaurav123", @@ -614,11 +491,11 @@ "email_subject": "RPD Spam Test: Spam", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041113413005", "log_subtype": "Outbound Spam", "log_type": "Anti-Spam", "mailid": "\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e", "mailsize": "405", - "message_id": "13005", "priority": "Warning", "quarantine_reason": "Spam", "spamaction": "Accept", @@ -641,15 +518,6 @@ }, { "@timestamp": "2018-06-06T11:10:11.000Z", - "client": { - "bytes": 0, - "domain": "postman.local", - "ip": "10.198.16.121", - "port": 58043, - "user": { - "email": "pankhil@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.234.240", @@ -667,10 +535,11 @@ "malware", "network" ], - "code": "041114413006", + "code": "13006", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", + "reason": "Mail detected as OUTBOUND PROBABLE SPAM.", "severity": 4, "type": [ "info", @@ -685,7 +554,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:4pL1g2Wx0xpVOFsPZ927l+yIPiU=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -695,17 +567,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.234.240" ] }, - "server": { - "bytes": 0, - "ip": "10.198.234.240", - "port": 25, - "user": { - "email": "pankhil1@Postman.local" - } - }, "sophos": { "xg": { "av_policy_name": "rule 8", @@ -715,14 +584,13 @@ "email_subject": "RPD Spam test: Bulk", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041114413006", "log_subtype": "Outbound Probable Spam", "log_type": "Anti-Spam", "mailid": "\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e", "mailsize": "439", - "message_id": "13006", "priority": "Warning", "quarantine_reason": "Spam", - "reason": "Mail detected as OUTBOUND PROBABLE SPAM.", "spamaction": "Drop", "src_country_code": "R1" } @@ -742,15 +610,6 @@ }, { "@timestamp": "2018-06-06T12:50:07.000Z", - "client": { - "bytes": 0, - "domain": "postman.local", - "ip": "10.198.16.121", - "port": 60134, - "user": { - "email": "pankhil@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.17.121", @@ -768,10 +627,11 @@ "malware", "network" ], - "code": "041121613009", + "code": "13009", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "outcome": "success", + "reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", "severity": 6, "type": [ "info", @@ -786,7 +646,10 @@ "level": "informational" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:a0QO0XDedN9BRtTg60uWTq/zaCQ=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -796,17 +659,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" ] }, - "server": { - "bytes": 0, - "ip": "10.198.17.121", - "port": 25, - "user": { - "email": "pankhil1@Postman. local" - } - }, "sophos": { "xg": { "av_policy_name": "postman", @@ -816,14 +676,13 @@ "email_subject": "Fwd: TESt", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041121613009", "log_subtype": "DLP", "log_type": "Anti-Spam", "mailid": "c0000002-1528269606", "mailsize": "5041", - "message_id": "13009", "priority": "Information", "quarantine_reason": "DLP", - "reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", "spamaction": "DROP", "src_country_code": "R1" } @@ -843,15 +702,6 @@ }, { "@timestamp": "2018-06-06T12:51:34.000Z", - "client": { - "bytes": 0, - "domain": "postman.local", - "ip": "10.198.16.121", - "port": 60298, - "user": { - "email": "pankhil@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.16.204", @@ -868,10 +718,11 @@ "category": [ "network" ], - "code": "041122613010", + "code": "13010", "kind": "event", - "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", + "reason": "SPX Template of type Specified by Sender successfully applied on Email.", "severity": 6, "type": [ "allowed", @@ -885,7 +736,10 @@ "level": "informational" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:Gh3yGHw3PI8ixdFOiZO3wKa8qrI=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -895,17 +749,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.16.204" ] }, - "server": { - "bytes": 0, - "ip": "10.198.16.204", - "port": 25, - "user": { - "email": "pankhil1@Postman.local" - } - }, "sophos": { "xg": { "av_policy_name": "None", @@ -915,14 +766,13 @@ "email_subject": "[secure:pankhil]", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041122613010", "log_subtype": "SPX", "log_type": "Anti-Spam", "mailid": "c0000003-1528269693", "mailsize": "442", - "message_id": "13010", "priority": "Information", "quarantine_reason": "Other", - "reason": "SPX Template of type Specified by Sender successfully applied on Email.", "spamaction": "Accept", "src_country_code": "R1" } @@ -942,11 +792,6 @@ }, { "@timestamp": "2018-06-06T12:53:39.000Z", - "client": { - "bytes": 0, - "ip": "10.198.16.121", - "port": 60392 - }, "destination": { "bytes": 0, "ip": "10.198.17.121", @@ -961,10 +806,11 @@ "intrusion_detection", "network" ], - "code": "041123413012", + "code": "13012", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", + "reason": "SMTP DoS", "severity": 4, "type": [ "info", @@ -979,7 +825,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:kePcBIa66amVdXctNnMv73KAlD8=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -990,13 +839,12 @@ "related": { "hosts": [ "defaulttest.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" ] }, - "server": { - "bytes": 0, - "ip": "10.198.17.121", - "port": 25 - }, "sophos": { "xg": { "av_policy_name": "None", @@ -1005,13 +853,12 @@ "dst_country_code": "R1", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041123413012", "log_subtype": "Dos", "log_type": "Anti-Spam", "mailsize": "0", - "message_id": "13012", "priority": "Warning", "quarantine_reason": "Other", - "reason": "SMTP DoS", "spamaction": "TMPREJECT", "src_country_code": "R1" } @@ -1027,15 +874,6 @@ }, { "@timestamp": "2018-06-06T12:56:53.000Z", - "client": { - "bytes": 0, - "domain": "postman.local", - "ip": "10.198.16.121", - "port": 60608, - "user": { - "email": "pankhil1@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.17.121", @@ -1053,10 +891,11 @@ "malware", "network" ], - "code": "041102413014", + "code": "13014", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "outcome": "success", + "reason": "Email is marked Malicious by Sophos Sandstorm.", "severity": 4, "type": [ "info", @@ -1071,7 +910,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:s4oqzO6RVrUrT4HCROvCsRxyngM=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1081,17 +923,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" + ], + "ip": [ + "10.198.16.121", + "10.198.17.121" ] }, - "server": { - "bytes": 0, - "ip": "10.198.17.121", - "port": 25, - "user": { - "email": "pankhil@postman. local" - } - }, "sophos": { "xg": { "av_policy_name": "postman", @@ -1101,13 +940,12 @@ "email_subject": "Fwd: test sand", "fw_rule_id": "0", "log_component": "SMTP", + "log_id": "041102413014", "log_subtype": "Denied", "log_type": "Anti-Spam", "mailid": "c0000008-1528270010", "mailsize": "419835", - "message_id": "13014", "priority": "Warning", - "reason": "Email is marked Malicious by Sophos Sandstorm.", "spamaction": "DROP", "src_country_code": "R1" } @@ -1127,15 +965,6 @@ }, { "@timestamp": "2017-01-31T18:31:11.000Z", - "client": { - "bytes": 0, - "domain": " iview.com", - "ip": "10.198.47.71", - "port": 22333, - "user": { - "email": "gaurav1@iview.com" - } - }, "destination": { "bytes": 0, "ip": "10.198.233.61", @@ -1153,9 +982,9 @@ "malware", "network" ], - "code": "041207414001", + "code": "14001", "kind": "alert", - "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", "severity": 4, "type": [ @@ -1171,7 +1000,10 @@ "level": "warning" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:E/1TIGuzeeJuVhq04jui66hWf/Q=", + "protocol": "pop3", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1181,17 +1013,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + " iview.com" + ], + "ip": [ + "10.198.47.71", + "10.198.233.61" ] }, - "server": { - "bytes": 0, - "ip": "10.198.233.61", - "port": 110, - "user": { - "email": "gaurav2@iview. com" - } - }, "sophos": { "xg": { "av_policy_name": "GauravPatel", @@ -1202,11 +1031,11 @@ "email_subject": "RPD Spam Test: Spam", "fw_rule_id": "0", "log_component": "POP3", + "log_id": "041207414001", "log_subtype": "Spam", "log_type": "Anti-Spam", "mailid": "\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e", "mailsize": "574", - "message_id": "14001", "priority": "Warning", "quarantine_reason": "Other", "spamaction": "Accept", @@ -1229,23 +1058,6 @@ }, { "@timestamp": "2020-05-18T14:38:33.000Z", - "client": { - "bytes": 550, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 57695 - }, "destination": { "bytes": 1616, "geo": { @@ -1272,9 +1084,9 @@ "malware", "network" ], - "code": "030906208001", + "code": "08001", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1295,7 +1107,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 2166, + "community_id": "1:/vqw1Zz6/4E618BC7NwuF8VviEw=", + "protocol": "http", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1305,7 +1120,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "sophostest.com" ], "ip": [ "175.16.199.1" @@ -1314,23 +1130,6 @@ "rule": { "id": "2" }, - "server": { - "bytes": 1616, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "device": "SFW", @@ -1338,9 +1137,9 @@ "dst_country_code": "USA", "iap": "13", "log_component": "HTTP", + "log_id": "030906208001", "log_subtype": "Virus", "log_type": "Anti-Virus", - "message_id": "08001", "priority": "Critical", "src_country_code": "R1", "virus": "Sandstorm" @@ -1368,7 +1167,11 @@ ], "url": { "domain": "sophostest.com", - "original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf" + "extension": "pdf", + "full": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "path": "/Sandstorm/SBTestFile1.pdf", + "scheme": "http" }, "user_agent": { "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" @@ -1376,23 +1179,6 @@ }, { "@timestamp": "2020-05-18T14:38:34.000Z", - "client": { - "bytes": 541, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 57835 - }, "destination": { "bytes": 553, "geo": { @@ -1419,9 +1205,9 @@ "malware", "network" ], - "code": "030906208001", + "code": "08001", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1442,7 +1228,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 1094, + "community_id": "1:Z0Tretxsz7tfUwZQuBzT3MrFn3M=", + "protocol": "http", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1452,7 +1241,8 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "sophostest.com" ], "ip": [ "175.16.199.1" @@ -1461,23 +1251,6 @@ "rule": { "id": "2" }, - "server": { - "bytes": 553, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "device": "SFW", @@ -1485,9 +1258,9 @@ "dst_country_code": "USA", "iap": "13", "log_component": "HTTP", + "log_id": "030906208001", "log_subtype": "Virus", "log_type": "Anti-Virus", - "message_id": "08001", "priority": "Critical", "src_country_code": "R1", "virus": "EICAR-AV-Test" @@ -1515,7 +1288,11 @@ ], "url": { "domain": "sophostest.com", - "original": "http://sophostest.com/eicar/index.html" + "extension": "html", + "full": "http://sophostest.com/eicar/index.html", + "original": "http://sophostest.com/eicar/index.html", + "path": "/eicar/index.html", + "scheme": "http" }, "user_agent": { "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" @@ -1523,26 +1300,6 @@ }, { "@timestamp": "2020-05-18T14:38:35.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 56336, - "user": { - "email": "info@farasamed.com" - } - }, "destination": { "bytes": 0, "geo": { @@ -1572,9 +1329,9 @@ "malware", "network" ], - "code": "031106210001", + "code": "10001", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", "severity": 2, "type": [ @@ -1590,7 +1347,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:SDfOMtSrSIy++DO4/iWrhPflPNE=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1600,7 +1360,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "farasamed.com" ], "ip": [ "175.16.199.1" @@ -1609,26 +1370,6 @@ "rule": { "id": "22" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 25, - "user": { - "email": "info@elastic-user.local" - } - }, "sophos": { "xg": { "av_policy_name": "default-smtp-av", @@ -1636,11 +1377,11 @@ "device_name": "XG230", "dst_country_code": "DEU", "log_component": "SMTP", + "log_id": "031106210001", "log_subtype": "Virus", "log_type": "Anti-Virus", "mailid": "\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", "mailsize": "2254721", - "message_id": "10001", "priority": "Critical", "quarantine_reason": "Infected", "src_country_code": "DEU", @@ -1650,6 +1391,7 @@ }, "source": { "bytes": 0, + "domain": "farasamed.com", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1670,33 +1412,10 @@ }, "tags": [ "preserve_original_event" - ], - "url": { - "domain": "farasamed.com" - } + ] }, { "@timestamp": "2020-05-18T14:38:36.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 54693, - "user": { - "email": "spedizioni@divella.it" - } - }, "destination": { "bytes": 0, "geo": { @@ -1726,9 +1445,9 @@ "malware", "network" ], - "code": "031106210001", + "code": "10001", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", "severity": 2, "type": [ @@ -1744,7 +1463,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:6tpKSGkpOdXHM5vhqNlALTDRGM8=", + "protocol": "smtp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1753,35 +1475,16 @@ "vendor": "Sophos" }, "related": { - "hosts": [ - "testhost.local" - ], - "ip": [ - "175.16.199.1" - ] - }, - "rule": { - "id": "22" - }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 25, - "user": { - "email": "info@elastic-user.local" - } + "hosts": [ + "testhost.local", + "divella.it" + ], + "ip": [ + "175.16.199.1" + ] + }, + "rule": { + "id": "22" }, "sophos": { "xg": { @@ -1790,11 +1493,11 @@ "device_name": "XG230", "dst_country_code": "DEU", "log_component": "SMTP", + "log_id": "031106210001", "log_subtype": "Virus", "log_type": "Anti-Virus", "mailid": "\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e", "mailsize": "537457", - "message_id": "10001", "priority": "Critical", "quarantine_reason": "Infected", "src_country_code": "USA", @@ -1804,6 +1507,7 @@ }, "source": { "bytes": 0, + "domain": "divella.it", "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -1824,21 +1528,10 @@ }, "tags": [ "preserve_original_event" - ], - "url": { - "domain": "divella.it" - } + ] }, { "@timestamp": "2018-06-06T10:51:29.000Z", - "client": { - "bytes": 0, - "ip": "10.198.16.121", - "port": 56653, - "user": { - "email": "pankhil@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.234.240", @@ -1856,9 +1549,9 @@ "malware", "network" ], - "code": "036106211001", + "code": "11001", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", "severity": 2, "type": [ @@ -1874,7 +1567,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:miDZMZyHzg1ArtBIc4N8695JaWk=", + "protocol": "pop3s", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1884,7 +1580,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" ], "ip": [ "10.198.16.121", @@ -1894,14 +1591,6 @@ "rule": { "id": "0" }, - "server": { - "bytes": 0, - "ip": "10.198.234.240", - "port": 995, - "user": { - "email": "pankhil@postman.local" - } - }, "sophos": { "xg": { "av_policy_name": "None", @@ -1909,11 +1598,11 @@ "device_name": "SG430", "dst_country_code": "R1", "log_component": "POPS", + "log_id": "036106211001", "log_subtype": "Virus", "log_type": "Anti-Virus", "mailid": "\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e", "mailsize": "0", - "message_id": "11001", "priority": "Critical", "quarantine_reason": "Other", "src_country_code": "R1", @@ -1923,6 +1612,7 @@ }, "source": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", "port": 56653, "user": { @@ -1931,21 +1621,10 @@ }, "tags": [ "preserve_original_event" - ], - "url": { - "domain": "postman.local" - } + ] }, { "@timestamp": "2018-06-06T10:58:29.000Z", - "client": { - "bytes": 0, - "ip": "10.198.16.121", - "port": 56632, - "user": { - "email": "pankhil@postman.local" - } - }, "destination": { "bytes": 0, "ip": "10.198.234.240", @@ -1963,9 +1642,9 @@ "malware", "network" ], - "code": "036206212001", + "code": "12001", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", "severity": 2, "type": [ @@ -1981,7 +1660,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:brG0+fyFYq1h9huQh5nQ8cHjL5E=", + "protocol": "imaps", + "transport": "tcp" }, "observer": { "product": "XG", @@ -1991,7 +1673,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "postman.local" ], "ip": [ "10.198.16.121", @@ -2001,14 +1684,6 @@ "rule": { "id": "0" }, - "server": { - "bytes": 0, - "ip": "10.198.234.240", - "port": 993, - "user": { - "email": "ganga@postman.local" - } - }, "sophos": { "xg": { "av_policy_name": "None", @@ -2016,11 +1691,11 @@ "device_name": "SG430", "dst_country_code": "R1", "log_component": "IMAPS", + "log_id": "036206212001", "log_subtype": "Virus", "log_type": "Anti-Virus", "mailid": "\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e", "mailsize": "0", - "message_id": "12001", "priority": "Critical", "quarantine_reason": "Other", "src_country_code": "R1", @@ -2030,6 +1705,7 @@ }, "source": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", "port": 56632, "user": { @@ -2038,18 +1714,10 @@ }, "tags": [ "preserve_original_event" - ], - "url": { - "domain": "postman.local" - } + ] }, { "@timestamp": "2018-06-21T19:50:23.000Z", - "client": { - "bytes": 0, - "ip": "10.146.13.49", - "port": 39910 - }, "destination": { "bytes": 0, "ip": "10.8.142.181", @@ -2064,9 +1732,9 @@ "malware", "network" ], - "code": "031006209001", + "code": "09001", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "outcome": "success", "severity": 2, "type": [ @@ -2087,7 +1755,10 @@ "level": "critical" }, "network": { - "transport": "TCP" + "bytes": 0, + "community_id": "1:pEAtCi2v+cfDLsHaWvO82/Ahn0k=", + "protocol": "ftp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -2107,23 +1778,18 @@ "rule": { "id": "0" }, - "server": { - "bytes": 0, - "ip": "10.8.142.181", - "port": 21 - }, "sophos": { "xg": { - "FTP_direction": "Upload", - "FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "device": "SFW", "device_name": "SF01V", "dst_country_code": "R1", + "ftp_direction": "Upload", + "ftp_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "ftpcommand": "STOR", "log_component": "FTP", + "log_id": "031006209001", "log_subtype": "Virus", "log_type": "Anti-Virus", - "message_id": "09001", "priority": "Critical", "src_country_code": "R1", "virus": "EICAR-AV-Test" @@ -2140,11 +1806,6 @@ }, { "@timestamp": "2018-06-21T19:50:48.000Z", - "client": { - "bytes": 0, - "ip": "10.146.13.49", - "port": 39936 - }, "destination": { "bytes": 19926248, "ip": "10.8.142.181", @@ -2158,9 +1819,9 @@ "category": [ "network" ], - "code": "031001609002", + "code": "09002", "kind": "event", - "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "outcome": "success", "severity": 6, "type": [ @@ -2180,7 +1841,10 @@ "level": "informational" }, "network": { - "transport": "TCP" + "bytes": 19926248, + "community_id": "1:hUeUw/6dIhcWCOgAeWChZiMq1qA=", + "protocol": "ftp", + "transport": "tcp" }, "observer": { "product": "XG", @@ -2200,22 +1864,17 @@ "rule": { "id": "0" }, - "server": { - "bytes": 19926248, - "ip": "10.8.142.181", - "port": 21 - }, "sophos": { "xg": { - "FTP_direction": "Download", - "FTP_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "device": "SFW", "device_name": "SF01V", + "ftp_direction": "Download", + "ftp_url": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "ftpcommand": "RETR", "log_component": "FTP", + "log_id": "031001609002", "log_subtype": "Allowed", "log_type": "Anti-Virus", - "message_id": "09002", "priority": "Information" } }, @@ -2230,13 +1889,6 @@ }, { "@timestamp": "2017-01-31T18:44:31.000Z", - "client": { - "ip": "10.198.47.71", - "port": 22623, - "user": { - "name": "jsmith" - } - }, "destination": { "geo": { "city_name": "Changchun", @@ -2262,10 +1914,10 @@ "intrusion_detection", "network" ], - "code": "086304418010", + "code": "18010", "id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", "kind": "alert", - "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", "severity": 4, "type": [ @@ -2280,6 +1932,7 @@ "level": "warning" }, "network": { + "community_id": "1:iHz0+HJt5nXYKJ8gA8XBVhxEQwI=", "transport": "tcp" }, "observer": { @@ -2300,31 +1953,15 @@ "jsmith" ] }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "device": "SFW", "device_name": "CR750iNG-XP", "eventtype": "Standard", "log_component": "Firewall", + "log_id": "086304418010", "log_subtype": "Drop", "log_type": "ATP", - "message_id": "18010", "priority": "Warning", "threatname": "C2/Generic-A" } @@ -2345,22 +1982,6 @@ }, { "@timestamp": "2020-05-18T14:38:34.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 57579 - }, "destination": { "geo": { "city_name": "Changchun", @@ -2386,10 +2007,10 @@ "intrusion_detection", "network" ], - "code": "086504418010", + "code": "18010", "id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", "severity": 4, "type": [ @@ -2404,6 +2025,7 @@ "level": "warning" }, "network": { + "community_id": "1:b1o4Rde4SEO3zGAysRCmwfRnBE8=", "transport": "tcp" }, "observer": { @@ -2414,37 +2036,22 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "sophostest.com" ], "ip": [ "175.16.199.1" ] }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "device": "SFW", "device_name": "XG230", "eventtype": "Standard", "log_component": "Web", + "log_id": "086504418010", "log_subtype": "Drop", "log_type": "ATP", - "message_id": "18010", "priority": "Warning", "threatname": "C2/Generic-A" } @@ -2469,27 +2076,16 @@ "preserve_original_event" ], "url": { - "original": "http://sophostest.com/callhome/index.html" + "domain": "sophostest.com", + "extension": "html", + "full": "http://sophostest.com/callhome/index.html", + "original": "http://sophostest.com/callhome/index.html", + "path": "/callhome/index.html", + "scheme": "http" } }, { "@timestamp": "2020-05-18T14:38:35.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 57540 - }, "destination": { "geo": { "city_name": "Changchun", @@ -2515,10 +2111,10 @@ "intrusion_detection", "network" ], - "code": "086504418010", + "code": "18010", "id": "34AC8531-E7C0-4368-9978-5740952EE9AB", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", "severity": 4, "type": [ @@ -2533,6 +2129,7 @@ "level": "warning" }, "network": { + "community_id": "1:7bR+xjprLOf1D9nMa07/FLTsJb4=", "transport": "tcp" }, "observer": { @@ -2543,37 +2140,22 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "sophostest.com" ], "ip": [ "175.16.199.1" ] }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "device": "SFW", "device_name": "XG230", "eventtype": "Standard", "log_component": "Web", + "log_id": "086504418010", "log_subtype": "Drop", "log_type": "ATP", - "message_id": "18010", "priority": "Warning", "threatname": "C2/Generic-A" } @@ -2598,15 +2180,16 @@ "preserve_original_event" ], "url": { - "original": "http://sophostest.com/callhome/index.html" + "domain": "sophostest.com", + "extension": "html", + "full": "http://sophostest.com/callhome/index.html", + "original": "http://sophostest.com/callhome/index.html", + "path": "/callhome/index.html", + "scheme": "http" } }, { "@timestamp": "2018-06-05T08:49:00.000Z", - "client": { - "ip": "10.198.32.89", - "port": 0 - }, "destination": { "geo": { "city_name": "Changchun", @@ -2632,10 +2215,10 @@ "intrusion_detection", "network" ], - "code": "086320518009", + "code": "18009", "id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", "severity": 5, "type": [ @@ -2650,6 +2233,7 @@ "level": "notification" }, "network": { + "community_id": "1:kHHQzEsYiPicaHEfNBDcL79Jdlk=", "transport": "icmp" }, "observer": { @@ -2667,31 +2251,15 @@ "175.16.199.1" ] }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 0 - }, "sophos": { "xg": { "device": "SFW", "device_name": "XG310", "eventtype": "Standard", "log_component": "Firewall", + "log_id": "086320518009", "log_subtype": "Alert", "log_type": "ATP", - "message_id": "18009", "priority": "Notice", "threatname": "C2/Generic-A" } @@ -2709,17 +2277,6 @@ }, { "@timestamp": "2017-01-31T14:03:33.000Z", - "client": { - "bytes": 0, - "ip": "10.198.47.71", - "port": 9444, - "user": { - "group": { - "name": "Open Group" - }, - "name": "jsmith" - } - }, "destination": { "bytes": 319007, "geo": { @@ -2745,9 +2302,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -2762,6 +2319,9 @@ "level": "informational" }, "network": { + "bytes": 319007, + "community_id": "1:/f8qayUuOw8mnpWRZ+An6bMQrdY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -2772,7 +2332,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "r8---sn-ci5gup-qxas.googlevideo.com" ], "ip": [ "10.198.47.71", @@ -2782,23 +2343,6 @@ "jsmith" ] }, - "server": { - "bytes": 319007, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 443 - }, "sophos": { "xg": { "category": "Entertainment", @@ -2808,9 +2352,9 @@ "fw_rule_id": "2", "iap": "1", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", - "message_id": "16001", "priority": "Information" } }, @@ -2838,23 +2382,6 @@ }, { "@timestamp": "2017-02-01T18:20:21.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 46719 - }, "destination": { "bytes": 0, "geo": { @@ -2881,9 +2408,9 @@ "malware", "network" ], - "code": "050902616002", + "code": "16002", "kind": "alert", - "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -2899,38 +2426,25 @@ "level": "informational" }, "network": { + "bytes": 0, + "community_id": "1:VEidEjVf6CfPataXyE+RuqsRk7Q=", + "protocol": "http", "transport": "tcp" }, - "observer": { - "product": "XG", - "serial_number": "S110000E28BA631", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "defaulttest.local" - ], - "ip": [ - "175.16.199.1" - ] - }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 + "observer": { + "product": "XG", + "serial_number": "S110000E28BA631", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "hanuman.com" + ], + "ip": [ + "175.16.199.1" + ] }, "sophos": { "xg": { @@ -2941,9 +2455,9 @@ "fw_rule_id": "1", "iap": "13", "log_component": "HTTP", + "log_id": "050902616002", "log_subtype": "Denied", "log_type": "Content Filtering", - "message_id": "16002", "priority": "Information" } }, @@ -2977,23 +2491,6 @@ }, { "@timestamp": "2017-02-01T18:13:29.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 49128 - }, "destination": { "bytes": 0, "geo": { @@ -3020,9 +2517,9 @@ "malware", "network" ], - "code": "054402617051", + "code": "17051", "kind": "alert", - "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -3038,6 +2535,8 @@ "level": "informational" }, "network": { + "bytes": 0, + "community_id": "1:AJhaUU/xeI8D80gn3JKhVsapjjk=", "transport": "tcp" }, "observer": { @@ -3054,23 +2553,6 @@ "175.16.199.1" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 5228 - }, "sophos": { "xg": { "application_category": "Mobile Applications", @@ -3084,9 +2566,9 @@ "dst_country_code": "USA", "fw_rule_id": "1", "log_component": "Application", + "log_id": "054402617051", "log_subtype": "Denied", "log_type": "Content Filtering", - "message_id": "17051", "priority": "Information", "src_country_code": "DEU", "status": "Deny" @@ -3115,23 +2597,6 @@ }, { "@timestamp": "2020-05-18T14:38:51.000Z", - "client": { - "bytes": 259, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 62851 - }, "destination": { "bytes": 168, "geo": { @@ -3157,9 +2622,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -3179,6 +2644,9 @@ "level": "informational" }, "network": { + "bytes": 427, + "community_id": "1:/CPcuTzO6efcTUZGJuANFDduxfY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3189,29 +2657,13 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "his-eur1-neur1.servicebus.windows.net" ], "ip": [ "175.16.199.1" ] }, - "server": { - "bytes": 168, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -3223,9 +2675,9 @@ "fw_rule_id": "2", "iap": "13", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", - "message_id": "16001", "priority": "Information", "status_code": "400" } @@ -3260,23 +2712,6 @@ }, { "@timestamp": "2020-05-18T14:38:52.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 60471 - }, "destination": { "bytes": 0, "geo": { @@ -3303,9 +2738,9 @@ "malware", "network" ], - "code": "050902616002", + "code": "16002", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -3326,6 +2761,9 @@ "level": "informational" }, "network": { + "bytes": 0, + "community_id": "1:UmV8uoUJ74HsD4zFRsdS7E2yq/w=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3336,29 +2774,13 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "175.16.199.1" ], "ip": [ "175.16.199.1" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -3370,9 +2792,9 @@ "fw_rule_id": "51", "iap": "2", "log_component": "HTTP", + "log_id": "050902616002", "log_subtype": "Denied", "log_type": "Content Filtering", - "message_id": "16002", "priority": "Information", "status_code": "200" } @@ -3407,23 +2829,6 @@ }, { "@timestamp": "2020-05-18T14:38:53.000Z", - "client": { - "bytes": 980, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 65391 - }, "destination": { "bytes": 295, "geo": { @@ -3449,9 +2854,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -3471,6 +2876,9 @@ "level": "informational" }, "network": { + "bytes": 1275, + "community_id": "1:Ryp54doRa7oC9nCPf20XUfuS+tg=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -3481,29 +2889,13 @@ }, "related": { "hosts": [ - "testhost.local" + "testhost.local", + "update.eset.com" ], "ip": [ "175.16.199.1" ] }, - "server": { - "bytes": 295, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -3516,9 +2908,9 @@ "fw_rule_id": "2", "iap": "13", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", - "message_id": "16001", "priority": "Information", "status_code": "304" } @@ -3564,9 +2956,6 @@ }, { "@timestamp": "2016-12-02T18:50:20.000Z", - "client": { - "ip": "10.108.108.49" - }, "ecs": { "version": "8.0.0" }, @@ -3575,9 +2964,9 @@ "category": [ "network" ], - "code": "058420116010", + "code": "16010", "kind": "event", - "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "original": "\u003c30\u003edevice=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "outcome": "success", "severity": 1 }, @@ -3613,9 +3002,9 @@ "direction": "in", "file_name": "cgi_echo.pl", "log_component": "Web Content Policy", + "log_id": "058420116010", "log_subtype": "Alert", "log_type": "Content Filtering", - "message_id": "16010", "site_category": "Information Technology", "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", "user": "gi123456", @@ -3631,17 +3020,6 @@ }, { "@timestamp": "2016-12-02T18:50:20.000Z", - "client": { - "bytes": 0, - "ip": "192.168.73.220", - "port": 37832, - "user": { - "group": { - "name": "Clientless Open Group" - }, - "name": "rich" - } - }, "destination": { "bytes": 0, "geo": { @@ -3667,9 +3045,9 @@ "category": [ "network" ], - "code": "050927616005", + "code": "16005", "kind": "event", - "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "outcome": "success", "severity": 6, "type": [ @@ -3684,6 +3062,9 @@ "level": "informational" }, "network": { + "bytes": 0, + "community_id": "1:HvKh3vR/3/66c5khPTyK//csnEc=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -3694,7 +3075,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "www.google.com" ], "ip": [ "192.168.73.220", @@ -3704,23 +3086,6 @@ "rich" ] }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "activityname": " Search", @@ -3731,9 +3096,9 @@ "fw_rule_id": "2", "iap": "13", "log_component": "HTTP", + "log_id": "050927616005", "log_subtype": "Warned", "log_type": "Content Filtering", - "message_id": "16005", "priority": "Information" } }, @@ -3761,17 +3126,6 @@ }, { "@timestamp": "2016-12-02T18:50:22.000Z", - "client": { - "bytes": 0, - "ip": "192.168.73.220", - "port": 46322, - "user": { - "group": { - "name": "Clientless Open Group" - }, - "name": "rich" - } - }, "destination": { "bytes": 619, "geo": { @@ -3797,10 +3151,11 @@ "category": [ "network" ], - "code": "050901616006", + "code": "16006", "kind": "event", - "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "outcome": "success", + "reason": "not eligible", "severity": 6, "type": [ "allowed", @@ -3814,6 +3169,9 @@ "level": "informational" }, "network": { + "bytes": 619, + "community_id": "1:ugKAtyXD+NkO22HaYEqDnd54d38=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -3824,7 +3182,8 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "www.google.ca" ], "ip": [ "192.168.73.220", @@ -3834,23 +3193,6 @@ "rich" ] }, - "server": { - "bytes": 619, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "activityname": "Search", @@ -3862,11 +3204,10 @@ "fw_rule_id": "2", "iap": "13", "log_component": "HTTP", + "log_id": "050901616006", "log_subtype": "Allowed", "log_type": "Content Filtering", - "message_id": "16006", - "priority": "Information", - "reason": "not eligible" + "priority": "Information" } }, "source": { @@ -3894,27 +3235,6 @@ }, { "@timestamp": "2020-05-18T14:38:57.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { - "group": { - "name": "Open Group" - }, - "name": "elastic.user@elastic.test.com" - } - }, "ecs": { "version": "8.0.0" }, @@ -3922,9 +3242,9 @@ "category": [ "authentication" ], - "code": "062910617701", + "code": "17701", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "outcome": "success", "severity": 6, "type": [ @@ -3963,9 +3283,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "Firewall Authentication", + "log_id": "062910617701", "log_subtype": "Authentication", "log_type": "Event", - "message_id": "17701", "priority": "Information", "status": "Successful" } @@ -3987,37 +3307,19 @@ "user": { "group": { "name": "Open Group" - }, - "name": "elastic.user@elastic.test.com" - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "name": "elastic.user@elastic.test.com" - } - }, - { - "@timestamp": "2020-05-18T14:38:58.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { + }, "name": "elastic.user@elastic.test.com" } }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "elastic.user@elastic.test.com" + } + }, + { + "@timestamp": "2020-05-18T14:38:58.000Z", "destination": { "geo": { "city_name": "Changchun", @@ -4037,9 +3339,9 @@ "version": "8.0.0" }, "event": { - "code": "062511418055", + "code": "18055", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "severity": 4 }, "host": { @@ -4060,28 +3362,12 @@ "testhost.local" ], "ip": [ - "175.16.199.1", "175.16.199.1" ], "user": [ "elastic.user@elastic.test.com" ] }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "sophos": { "xg": { "connectionname": "Location-1", @@ -4090,9 +3376,9 @@ "device_name": "XG230", "localnetwork": "175.16.199.1/19", "log_component": "IPSec", + "log_id": "062511418055", "log_subtype": "System", "log_type": "Event", - "message_id": "18055", "priority": "Warning", "remotenetwork": "10.84.234.5/32", "status": "Failed" @@ -4126,9 +3412,9 @@ "version": "8.0.0" }, "event": { - "code": "062511318057", + "code": "18057", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "severity": 3 }, "host": { @@ -4155,9 +3441,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "IPSec", + "log_id": "062511318057", "log_subtype": "System", "log_type": "Event", - "message_id": "18057", "priority": "Error", "status": "Expire" } @@ -4168,24 +3454,6 @@ }, { "@timestamp": "2020-05-18T14:39:00.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { - "name": "elastic.user@elastic.test.com" - } - }, "ecs": { "version": "8.0.0" }, @@ -4193,9 +3461,9 @@ "category": [ "authentication" ], - "code": "063210617704", + "code": "17704", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "outcome": "success", "severity": 6, "type": [ @@ -4233,9 +3501,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "My Account Authentication", + "log_id": "063210617704", "log_subtype": "Authentication", "log_type": "Event", - "message_id": "17704", "priority": "Information", "status": "Successful" } @@ -4275,9 +3543,9 @@ "host", "malware" ], - "code": "064011517819", + "code": "17819", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "severity": 5, "type": [ "info" @@ -4306,9 +3574,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "Anti-Virus", + "log_id": "064011517819", "log_subtype": "System", "log_type": "Event", - "message_id": "17819", "newversion": "1.0.407795 ", "oldversion": "1.0.407794", "priority": "Notice", @@ -4325,9 +3593,9 @@ "version": "8.0.0" }, "event": { - "code": "063411660022", + "code": "60022", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "severity": 6 }, "host": { @@ -4354,9 +3622,9 @@ "device_name": "XG230", "ipaddress": "192.168.110.10", "log_component": "DHCP Server", + "log_id": "063411660022", "log_subtype": "System", "log_type": "Event", - "message_id": "60022", "priority": "Information", "raw_data": "192.168.110.10", "status": "Expire" @@ -4368,24 +3636,6 @@ }, { "@timestamp": "2020-05-18T14:39:03.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { - "name": "elastic.user@elastic.test.com" - } - }, "ecs": { "version": "8.0.0" }, @@ -4393,9 +3643,9 @@ "category": [ "authentication" ], - "code": "063110617710", + "code": "17710", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "outcome": "success", "severity": 6, "type": [ @@ -4433,9 +3683,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "SSL VPN Authentication", + "log_id": "063110617710", "log_subtype": "Authentication", "log_type": "Event", - "message_id": "17710", "priority": "Information", "status": "Successful" } @@ -4467,12 +3717,6 @@ }, { "@timestamp": "2020-05-18T14:39:04.000Z", - "client": { - "bytes": 0, - "user": { - "name": "elastic.user@elastic.test.com" - } - }, "destination": { "bytes": 0 }, @@ -4480,9 +3724,9 @@ "version": "8.0.0" }, "event": { - "code": "062811617824", + "code": "17824", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "severity": 6 }, "host": { @@ -4506,19 +3750,16 @@ "elastic.user@elastic.test.com" ] }, - "server": { - "bytes": 0 - }, "sophos": { "xg": { - "Mode": "Remote Access", "device": "SFW", "device_name": "XG230", "ipaddress": "10.82.234.5", "log_component": "SSL VPN", + "log_id": "062811617824", "log_subtype": "System", "log_type": "Event", - "message_id": "17824", + "mode": "Remote Access", "priority": "Information", "remote_ip": "10.82.234.12", "starttime": "0", @@ -4537,24 +3778,6 @@ }, { "@timestamp": "2020-05-18T14:39:05.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { - "name": "hendrikl" - } - }, "ecs": { "version": "8.0.0" }, @@ -4562,10 +3785,11 @@ "category": [ "authentication" ], - "code": "063010517708", + "code": "17708", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "outcome": "failure", + "reason": "wrong credentials", "severity": 5 }, "host": { @@ -4598,11 +3822,10 @@ "device": "SFW", "device_name": "XG230", "log_component": "VPN Authentication", + "log_id": "063010517708", "log_subtype": "Authentication", "log_type": "Event", - "message_id": "17708", "priority": "Notice", - "reason": "wrong credentials", "status": "Failed" } }, @@ -4637,9 +3860,9 @@ "version": "8.0.0" }, "event": { - "code": "066911518017", + "code": "18017", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "severity": 5 }, "host": { @@ -4665,9 +3888,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "ATP", + "log_id": "066911518017", "log_subtype": "System", "log_type": "Event", - "message_id": "18017", "newversion": "1.0.0298 ", "oldversion": "1.0.0297", "priority": "Notice", @@ -4680,19 +3903,13 @@ }, { "@timestamp": "2020-05-18T14:39:07.000Z", - "client": { - "ip": "10.83.234.5", - "user": { - "name": "admin" - } - }, "ecs": { "version": "8.0.0" }, "event": { - "code": "062009617502", + "code": "17502", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "severity": 6 }, "host": { @@ -4724,9 +3941,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "GUI", + "log_id": "062009617502", "log_subtype": "Admin", "log_type": "Event", - "message_id": "17502", "priority": "Information", "status": "Successful", "syslog_server_name": "'Logstash'" @@ -4744,31 +3961,13 @@ }, { "@timestamp": "2020-05-18T14:39:08.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "user": { - "name": "root" - } - }, "ecs": { "version": "8.0.0" }, "event": { - "code": "062109517507", + "code": "17507", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "outcome": "failure", "severity": 5 }, @@ -4801,9 +4000,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "CLI", + "log_id": "062109517507", "log_subtype": "Admin", "log_type": "Event", - "message_id": "17507", "priority": "Notice", "status": "Failed" } @@ -4836,9 +4035,9 @@ "version": "8.0.0" }, "event": { - "code": "063911517818", + "code": "17818", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "severity": 5 }, "host": { @@ -4864,9 +4063,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "IPS", + "log_id": "063911517818", "log_subtype": "System", "log_type": "Event", - "message_id": "17818", "newversion": "9.17.10 ", "oldversion": "9.17.09", "priority": "Notice", @@ -4883,9 +4082,9 @@ "version": "8.0.0" }, "event": { - "code": "063311617923", + "code": "17923", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "severity": 6 }, "host": { @@ -4912,9 +4111,9 @@ "device": "SFW", "device_name": "XG230", "log_component": "Appliance", + "log_id": "063311617923", "log_subtype": "System", "log_type": "Event", - "message_id": "17923", "priority": "Information" } }, @@ -4924,16 +4123,6 @@ }, { "@timestamp": "2020-05-18T14:39:20.000Z", - "client": { - "bytes": 0, - "ip": "10.84.234.38", - "user": { - "group": { - "name": "VPN.SSL.Users.elastic" - }, - "name": "elastic.user@elastic.test.com" - } - }, "destination": { "bytes": 0 }, @@ -4945,9 +4134,9 @@ "network", "authentication" ], - "code": "062910617703", + "code": "17703", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "outcome": "success", "severity": 6, "type": [ @@ -4980,18 +4169,15 @@ "elastic.user@elastic.test.com" ] }, - "server": { - "bytes": 0 - }, "sophos": { "xg": { "auth_client": "IPSec", "device": "SFW", "device_name": "XG230", "log_component": "Firewall Authentication", + "log_id": "062910617703", "log_subtype": "Authentication", "log_type": "Event", - "message_id": "17703", "priority": "Information", "start_time": "1591086575", "status": "Successful" @@ -5016,9 +4202,6 @@ }, { "@timestamp": "2017-03-16T12:56:01.000Z", - "client": { - "bytes": 0 - }, "destination": { "bytes": 0 }, @@ -5026,11 +4209,11 @@ "version": "8.0.0" }, "event": { - "code": "066811618014", + "code": "18014", "duration": 164000000000000, "end": "2017-03-18T10:29:21.000Z", "kind": "event", - "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "severity": 6, "start": "2017-03-16T12:56:01.000Z" }, @@ -5052,9 +4235,6 @@ "defaulttest.local" ] }, - "server": { - "bytes": 0 - }, "sophos": { "xg": { "branch_name": "Gaurav Patel", @@ -5062,9 +4242,9 @@ "device_name": "XG125w", "eventtime": "2017-03-16 12:56:01 IST", "log_component": "RED", + "log_id": "066811618014", "log_subtype": "System", "log_type": "Event", - "message_id": "18014", "priority": "Information", "red_id": "A350196C47072B0", "status": "Connected" @@ -5079,9 +4259,6 @@ }, { "@timestamp": "2017-03-16T12:53:27.000Z", - "client": { - "bytes": 22368 - }, "destination": { "bytes": 31488 }, @@ -5089,11 +4266,11 @@ "version": "8.0.0" }, "event": { - "code": "066811618015", + "code": "18015", "duration": 0, "end": "2017-03-16T12:53:27.000Z", "kind": "event", - "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "severity": 6, "start": "2017-03-16T12:53:27.000Z" }, @@ -5115,9 +4292,6 @@ "defaulttest.local" ] }, - "server": { - "bytes": 31488 - }, "sophos": { "xg": { "branch_name": "Gaurav Patel", @@ -5125,9 +4299,9 @@ "device_name": "XG125w", "eventtime": "2017-03-16 12:53:27 IST", "log_component": "RED", + "log_id": "066811618015", "log_subtype": "System", "log_type": "Event", - "message_id": "18015", "priority": "Information", "red_id": "A350196C47072B0", "status": "Disconnected" @@ -5142,9 +4316,6 @@ }, { "@timestamp": "2017-03-16T12:46:26.000Z", - "client": { - "bytes": 0 - }, "destination": { "bytes": 0 }, @@ -5152,11 +4323,11 @@ "version": "8.0.0" }, "event": { - "code": "066811618016", + "code": "18016", "duration": 0, "end": "2017-03-16T12:46:26.000Z", "kind": "event", - "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "severity": 6, "start": "2017-03-16T12:46:26.000Z" }, @@ -5178,9 +4349,6 @@ "defaulttest.local" ] }, - "server": { - "bytes": 0 - }, "sophos": { "xg": { "branch_name": "NY", @@ -5188,9 +4356,9 @@ "device_name": "XG125w", "eventtime": "2017-03-16 12:46:26 IST", "log_component": "RED", + "log_id": "066811618016", "log_subtype": "System", "log_type": "Event", - "message_id": "18016", "priority": "Information", "red_id": "A350196C47072B0", "status": "Interim" @@ -5209,9 +4377,9 @@ "version": "8.0.0" }, "event": { - "code": "063711517815", + "code": "17815", "kind": "event", - "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "severity": 5 }, "host": { @@ -5238,9 +4406,9 @@ "device_name": "SG430", "host": "test1.customtest.dyndns.org", "log_component": "DDNS", + "log_id": "063711517815", "log_subtype": "System", "log_type": "Event", - "message_id": "17815", "priority": "Notice", "status": "Success", "updatedip": "10.198.232.86" @@ -5252,29 +4420,6 @@ }, { "@timestamp": "2020-05-18T14:38:37.000Z", - "client": { - "bytes": 459, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", - "nat": { - "ip": "175.16.199.1", - "port": 0 - }, - "packets": 6, - "port": 62841 - }, "destination": { "bytes": 606, "geo": { @@ -5304,11 +4449,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 11000000000, "end": "2020-05-18T14:38:48.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:37.000Z", @@ -5326,6 +4471,7 @@ }, "network": { "bytes": 1065, + "community_id": "1:5ytwHpTddp5P0kGMwuNJJLCIN1I=", "direction": "outbound", "packets": 11, "protocol": "http", @@ -5361,27 +4507,6 @@ "id": "21", "ruleset": "1" }, - "server": { - "bytes": 606, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 5, - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -5400,9 +4525,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_country_code": "R1", "src_zone_type": "LAN", @@ -5424,7 +4549,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "nat": { "ip": "175.16.199.1", "port": 0 @@ -5438,29 +4563,6 @@ }, { "@timestamp": "2020-05-18T14:38:38.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", - "nat": { - "ip": "175.16.199.1", - "port": 0 - }, - "packets": 0, - "port": 49144 - }, "destination": { "bytes": 0, "geo": { @@ -5490,11 +4592,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 0, "end": "2020-05-18T14:38:38.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:38.000Z", @@ -5512,6 +4614,7 @@ }, "network": { "bytes": 0, + "community_id": "1:BkHV0Q5JMM3ieP7v+c9GGT3T39s=", "direction": "outbound", "packets": 0, "protocol": "dns", @@ -5547,27 +4650,6 @@ "id": "67", "ruleset": "1" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 53 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -5586,9 +4668,9 @@ "iap": "0", "ips_policy_id": "15", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_country_code": "R1", "src_zone_type": "DMZ", @@ -5610,7 +4692,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "nat": { "ip": "175.16.199.1", "port": 0 @@ -5624,28 +4706,6 @@ }, { "@timestamp": "2020-05-18T14:38:39.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "24:01:c7:07:2b:a2", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 53287 - }, "destination": { "bytes": 0, "geo": { @@ -5675,11 +4735,11 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "duration": 0, "end": "2020-05-18T14:38:39.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:39.000Z", @@ -5696,6 +4756,7 @@ }, "network": { "bytes": 0, + "community_id": "1:/Ufdtqvq+ATpO2Ud6TVqfheypk8=", "packets": 0, "transport": "tcp" }, @@ -5720,33 +4781,12 @@ "testhost.local" ], "ip": [ - "175.16.199.1" - ] - }, - "rule": { - "id": "29", - "ruleset": "1" - }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 4980 + "175.16.199.1" + ] + }, + "rule": { + "id": "29", + "ruleset": "1" }, "sophos": { "xg": { @@ -5760,9 +4800,9 @@ "iap": "2", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "00002", "priority": "Information", "status": "Deny" } @@ -5782,7 +4822,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "24:01:c7:07:2b:a2", + "mac": "24-01-C7-07-2B-A2", "nat": { "port": 0 }, @@ -5795,21 +4835,6 @@ }, { "@timestamp": "2020-05-18T14:38:40.000Z", - "client": { - "bytes": 0, - "ip": "10.82.234.6", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 60102, - "user": { - "group": { - "name": "elastic.group.local" - }, - "name": "elastic@user.local" - } - }, "destination": { "bytes": 0, "ip": "192.168.0.1", @@ -5827,11 +4852,11 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "duration": 0, "end": "2020-05-18T14:38:40.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:40.000Z", @@ -5848,6 +4873,7 @@ }, "network": { "bytes": 0, + "community_id": "1:8b2gxqcJF3RCFwlHBnywSZxJCzM=", "packets": 0, "transport": "tcp" }, @@ -5883,15 +4909,6 @@ "id": "29", "ruleset": "1" }, - "server": { - "bytes": 0, - "ip": "192.168.0.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 53 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -5904,9 +4921,9 @@ "iap": "2", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "00002", "priority": "Information", "status": "Deny" } @@ -5932,28 +4949,6 @@ }, { "@timestamp": "2020-05-18T14:38:41.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "c4:f7:d5:b5:47:f4", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 55039 - }, "destination": { "bytes": 0, "geo": { @@ -5983,11 +4978,11 @@ "category": [ "network" ], - "code": "010302602002", + "code": "02002", "duration": 0, "end": "2020-05-18T14:38:41.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:41.000Z", @@ -6004,6 +4999,7 @@ }, "network": { "bytes": 0, + "community_id": "1:l6GmtQazh2DdX7u3B+0U5FoK/VM=", "packets": 0, "transport": "tcp" }, @@ -6030,27 +5026,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 18 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6063,9 +5038,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Appliance Access", + "log_id": "010302602002", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "02002", "priority": "Information", "status": "Deny" } @@ -6085,7 +5060,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "c4:f7:d5:b5:47:f4", + "mac": "C4-F7-D5-B5-47-F4", "nat": { "port": 0 }, @@ -6098,34 +5073,6 @@ }, { "@timestamp": "2020-05-18T14:38:42.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "24:01:c7:07:2b:a2", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 51826, - "user": { - "group": { - "name": "elastic.group.local" - }, - "name": "elastic@user.local" - } - }, "destination": { "bytes": 0, "ip": "192.168.5.11", @@ -6143,11 +5090,11 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "duration": 0, "end": "2020-05-18T14:38:42.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:42.000Z", @@ -6164,6 +5111,7 @@ }, "network": { "bytes": 0, + "community_id": "1:1AaIixBqgjE6URkWLKgsl7sK2bY=", "packets": 0, "transport": "tcp" }, @@ -6199,15 +5147,6 @@ "id": "29", "ruleset": "1" }, - "server": { - "bytes": 0, - "ip": "192.168.5.11", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 1109 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6220,9 +5159,9 @@ "iap": "2", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "00002", "priority": "Information", "status": "Deny" } @@ -6242,7 +5181,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "24:01:c7:07:2b:a2", + "mac": "24-01-C7-07-2B-A2", "nat": { "port": 0 }, @@ -6261,28 +5200,6 @@ }, { "@timestamp": "2020-05-18T14:38:43.000Z", - "client": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "34:db:fd:83:d8:09", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 3389 - }, "destination": { "bytes": 0, "ip": "10.84.234.14", @@ -6301,11 +5218,11 @@ "intrusion_detection", "network" ], - "code": "010402403001", + "code": "03001", "duration": 0, "end": "2020-05-18T14:38:43.000Z", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 4, "start": "2020-05-18T14:38:43.000Z", @@ -6322,6 +5239,7 @@ }, "network": { "bytes": 0, + "community_id": "1:2OUzCZQUfZ5IHj9MhIrZoyLi1FQ=", "packets": 0, "transport": "udp" }, @@ -6349,15 +5267,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "10.84.234.14", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 64465 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6370,9 +5279,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "DoS Attack", + "log_id": "010402403001", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "03001", "priority": "Warning", "status": "Deny" } @@ -6392,7 +5301,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "34:db:fd:83:d8:09", + "mac": "34-DB-FD-83-D8-09", "nat": { "port": 0 }, @@ -6405,15 +5314,6 @@ }, { "@timestamp": "2020-05-18T14:38:44.000Z", - "client": { - "bytes": 0, - "ip": "10.82.234.9", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 58331 - }, "destination": { "bytes": 0, "ip": "10.82.234.11", @@ -6431,11 +5331,11 @@ "category": [ "network" ], - "code": "012802605201", + "code": "05201", "duration": 0, "end": "2020-05-18T14:38:44.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:44.000Z", @@ -6452,6 +5352,7 @@ }, "network": { "bytes": 0, + "community_id": "1:UYQJE2dcbFtkondgzOxhp2BryzI=", "packets": 0, "transport": "tcp" }, @@ -6479,15 +5380,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "10.82.234.11", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 56267 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6500,9 +5392,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "SSL VPN", + "log_id": "012802605201", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "05201", "priority": "Information", "status": "Deny" } @@ -6522,22 +5414,6 @@ }, { "@timestamp": "2020-05-18T14:38:45.000Z", - "client": { - "bytes": 0, - "ip": "10.84.234.7", - "mac": "00:00:00:00:00:00", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 58543, - "user": { - "group": { - "name": "elastic.group.local" - }, - "name": "elastic@user.local" - } - }, "destination": { "bytes": 0, "geo": { @@ -6567,11 +5443,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 0, "end": "2020-05-18T14:38:45.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2020-05-18T14:38:45.000Z", @@ -6589,6 +5465,7 @@ }, "network": { "bytes": 0, + "community_id": "1:NvQwE56E0Ailx7nirNMhYbqx6Kw=", "direction": "internal", "packets": 0, "transport": "tcp" @@ -6627,27 +5504,6 @@ "id": "61", "ruleset": "2" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6664,9 +5520,9 @@ "iap": "0", "ips_policy_id": "11", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_country_code": "R1", "src_zone_type": "VPN", @@ -6676,7 +5532,7 @@ "source": { "bytes": 0, "ip": "10.84.234.7", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "nat": { "port": 0 }, @@ -6695,15 +5551,6 @@ }, { "@timestamp": "2020-05-18T14:38:45.000Z", - "client": { - "bytes": 0, - "ip": "192.168.1.254", - "mac": "34:db:fd:83:d8:09", - "nat": { - "port": 0 - }, - "packets": 0 - }, "destination": { "bytes": 0, "geo": { @@ -6732,11 +5579,11 @@ "category": [ "network" ], - "code": "018201500005", + "code": "00005", "duration": 0, "end": "2020-05-18T14:38:45.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 5, "start": "2020-05-18T14:38:45.000Z", @@ -6754,6 +5601,7 @@ }, "network": { "bytes": 0, + "community_id": "1:lRNB/KJvdNAICw3aV4RFRxqCKXc=", "packets": 0, "transport": "icmp" }, @@ -6781,26 +5629,6 @@ "id": "60", "ruleset": "1" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6817,9 +5645,9 @@ "icmp_type": "3", "ips_policy_id": "17", "log_component": "ICMP ERROR MESSAGE", + "log_id": "018201500005", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00005", "priority": "Notice", "status": "Allow" } @@ -6827,7 +5655,7 @@ "source": { "bytes": 0, "ip": "192.168.1.254", - "mac": "34:db:fd:83:d8:09", + "mac": "34-DB-FD-83-D8-09", "nat": { "port": 0 }, @@ -6839,28 +5667,6 @@ }, { "@timestamp": "2020-06-05T12:38:53.000Z", - "client": { - "bytes": 1802, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", - "nat": { - "port": 0 - }, - "packets": 6, - "port": 61925 - }, "destination": { "bytes": 1732, "geo": { @@ -6887,11 +5693,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 10000000000, "end": "2020-06-05T12:39:03.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "outcome": "success", "severity": 6, "start": "2020-06-05T12:38:53.000Z", @@ -6909,6 +5715,7 @@ }, "network": { "bytes": 3534, + "community_id": "1:wQwshYyt6z1Z+M4EnWNhl08b820=", "direction": "internal", "packets": 12, "transport": "tcp" @@ -6943,24 +5750,6 @@ "id": "60", "ruleset": "1" }, - "server": { - "bytes": 1732, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "packets": 6, - "port": 88 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -6977,9 +5766,9 @@ "iap": "0", "ips_policy_id": "17", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_country_code": "R1", "status": "Allow" @@ -7000,7 +5789,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "nat": { "port": 0 }, @@ -7008,20 +5797,11 @@ "port": 61925 }, "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2018-05-30T13:26:37.000Z", - "client": { - "bytes": 0, - "ip": "10.198.32.19", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 1353 - }, + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000Z", "destination": { "bytes": 0, "geo": { @@ -7051,11 +5831,11 @@ "category": [ "network" ], - "code": "010202601001", + "code": "01001", "duration": 0, "end": "2018-05-30T13:26:37.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "outcome": "success", "severity": 6, "start": "2018-05-30T13:26:37.000Z", @@ -7094,27 +5874,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 0 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7126,10 +5885,10 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Invalid Traffic", + "log_id": "010202601001", "log_subtype": "Denied", "log_type": "Firewall", "message": "Invalid UDP destination.", - "message_id": "01001", "priority": "Information", "status": "Deny" } @@ -7149,15 +5908,6 @@ }, { "@timestamp": "2018-06-04T17:20:24.000Z", - "client": { - "bytes": 0, - "ip": "0.0.0.0", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 0 - }, "destination": { "bytes": 0, "ip": "0.0.0.0", @@ -7175,11 +5925,11 @@ "category": [ "network" ], - "code": "011402601301", + "code": "01301", "duration": 0, "end": "2018-06-04T17:20:24.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", "severity": 6, "start": "2018-06-04T17:20:24.000Z", @@ -7217,15 +5967,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "0.0.0.0", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 0 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7237,9 +5978,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Fragmented Traffic", + "log_id": "011402601301", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "01301", "priority": "Information", "status": "Deny" } @@ -7259,16 +6000,6 @@ }, { "@timestamp": "2018-05-30T14:01:32.000Z", - "client": { - "bytes": 0, - "ip": "10.198.38.184", - "mac": "c8:5b:76:ab:72:d3", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 137 - }, "destination": { "bytes": 0, "ip": "10.198.39.255", @@ -7286,11 +6017,11 @@ "category": [ "network" ], - "code": "010302602002", + "code": "02002", "duration": 0, "end": "2018-05-30T14:01:32.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", "severity": 6, "start": "2018-05-30T14:01:32.000Z", @@ -7307,6 +6038,7 @@ }, "network": { "bytes": 0, + "community_id": "1:rWQJGdqTu4ERAOCXL2JYQ16npW4=", "packets": 0, "transport": "udp" }, @@ -7334,15 +6066,6 @@ "id": "2", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "10.198.39.255", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 137 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7354,9 +6077,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Appliance Access", + "log_id": "010302602002", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "02002", "priority": "Information", "status": "Deny" } @@ -7364,7 +6087,7 @@ "source": { "bytes": 0, "ip": "10.198.38.184", - "mac": "c8:5b:76:ab:72:d3", + "mac": "C8-5B-76-AB-72-D3", "nat": { "port": 0 }, @@ -7377,16 +6100,6 @@ }, { "@timestamp": "2018-05-30T14:17:17.000Z", - "client": { - "bytes": 0, - "ip": "10.198.32.19", - "mac": "b8:97:5a:5b:0f:fd", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 41960 - }, "destination": { "bytes": 0, "ip": "10.198.32.48", @@ -7405,11 +6118,11 @@ "intrusion_detection", "network" ], - "code": "010402403001", + "code": "03001", "duration": 0, "end": "2018-05-30T14:17:17.000Z", "kind": "alert", - "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", "severity": 4, "start": "2018-05-30T14:17:17.000Z", @@ -7426,6 +6139,7 @@ }, "network": { "bytes": 0, + "community_id": "1:ebW+n2XvlKyynA6t/MupXckUzG4=", "packets": 0, "transport": "tcp" }, @@ -7453,15 +6167,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "10.198.32.48", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 22 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7473,9 +6178,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "DoS Attack", + "log_id": "010402403001", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "03001", "priority": "Warning", "status": "Deny" } @@ -7483,7 +6188,7 @@ "source": { "bytes": 0, "ip": "10.198.32.19", - "mac": "b8:97:5a:5b:0f:fd", + "mac": "B8-97-5A-5B-0F-FD", "nat": { "port": 0 }, @@ -7496,14 +6201,6 @@ }, { "@timestamp": "2018-06-05T14:30:31.000Z", - "client": { - "bytes": 0, - "ip": "10.198.37.23", - "nat": { - "port": 0 - }, - "packets": 0 - }, "destination": { "bytes": 0, "ip": "10.198.36.48", @@ -7520,11 +6217,11 @@ "category": [ "network" ], - "code": "010502604001", + "code": "04001", "duration": 0, "end": "2018-06-05T14:30:31.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", "severity": 6, "start": "2018-06-05T14:30:31.000Z", @@ -7541,6 +6238,7 @@ }, "network": { "bytes": 0, + "community_id": "1:REw7Fd5sFF/Vbt+C9BommT9XGDQ=", "packets": 0, "transport": "icmp" }, @@ -7563,14 +6261,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "10.198.36.48", - "nat": { - "port": 0 - }, - "packets": 0 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7584,9 +6274,9 @@ "icmp_type": "5", "ips_policy_id": "0", "log_component": "ICMP Redirection", + "log_id": "010502604001", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "04001", "priority": "Information", "status": "Deny" } @@ -7605,15 +6295,6 @@ }, { "@timestamp": "2018-05-31T17:05:14.000Z", - "client": { - "bytes": 0, - "ip": "10.198.12.19", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 1571 - }, "destination": { "bytes": 0, "geo": { @@ -7644,11 +6325,11 @@ "intrusion_detection", "network" ], - "code": "010602605001", + "code": "05001", "duration": 0, "end": "2018-05-31T17:05:14.000Z", "kind": "alert", - "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", "severity": 6, "start": "2018-05-31T17:05:14.000Z", @@ -7665,6 +6346,7 @@ }, "network": { "bytes": 0, + "community_id": "1:Kz9+srO3WRUzL5hBayiFZG2Vuo4=", "packets": 0, "transport": "tcp" }, @@ -7687,27 +6369,6 @@ "id": "1", "ruleset": "1" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 80 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7719,9 +6380,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Source Routed", + "log_id": "010602605001", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "05001", "priority": "Information", "status": "Deny" } @@ -7741,16 +6402,6 @@ }, { "@timestamp": "2018-05-30T15:09:51.000Z", - "client": { - "bytes": 0, - "ip": "fe80::59f5:3ce8:c98e:5062", - "mac": "1e:3a:5a:5b:23:ab", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 546 - }, "destination": { "bytes": 0, "ip": "ff02::1:2", @@ -7768,11 +6419,11 @@ "category": [ "network" ], - "code": "011702605051", + "code": "05051", "duration": 0, "end": "2018-05-30T15:09:51.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", "severity": 6, "start": "2018-05-30T15:09:51.000Z", @@ -7789,6 +6440,7 @@ }, "network": { "bytes": 0, + "community_id": "1:fzZxl6nY1aZerLCg1u8MwroiREk=", "packets": 0, "transport": "udp" }, @@ -7816,15 +6468,6 @@ "id": "0", "ruleset": "0" }, - "server": { - "bytes": 0, - "ip": "ff02::1:2", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 547 - }, "sophos": { "xg": { "appfilter_policy_id": "0", @@ -7836,9 +6479,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "MAC Filter", + "log_id": "011702605051", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "05051", "priority": "Information", "status": "Deny" } @@ -7846,7 +6489,7 @@ "source": { "bytes": 0, "ip": "fe80::59f5:3ce8:c98e:5062", - "mac": "1e:3a:5a:5b:23:ab", + "mac": "1E-3A-5A-5B-23-AB", "nat": { "port": 0 }, @@ -7859,15 +6502,6 @@ }, { "@timestamp": "2018-06-01T10:57:55.000Z", - "client": { - "bytes": 0, - "ip": "10.198.37.57", - "mac": "08:00:27:4c:49:e3", - "nat": { - "port": 0 - }, - "packets": 0 - }, "destination": { "bytes": 0, "ip": "10.198.32.19", @@ -7884,11 +6518,11 @@ "category": [ "network" ], - "code": "016602600006", + "code": "00006", "duration": 0, "end": "2018-06-01T10:57:55.000Z", "kind": "event", - "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2018-06-01T10:57:55.000Z", @@ -7905,6 +6539,7 @@ }, "network": { "bytes": 0, + "community_id": "1:GxdOoNc153FG9L1WhGZ4edd++14=", "packets": 0, "transport": "icmp" }, @@ -7932,14 +6567,6 @@ "id": "16", "ruleset": "1" }, - "server": { - "bytes": 0, - "ip": "10.198.32.19", - "nat": { - "port": 0 - }, - "packets": 0 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -7954,9 +6581,9 @@ "icmp_type": "8", "ips_policy_id": "0", "log_component": "Heartbeat", + "log_id": "016602600006", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "00006", "priority": "Information", "status": "Deny" } @@ -7964,7 +6591,7 @@ "source": { "bytes": 0, "ip": "10.198.37.57", - "mac": "08:00:27:4c:49:e3", + "mac": "08-00-27-4C-49-E3", "nat": { "port": 0 }, @@ -7976,15 +6603,6 @@ }, { "@timestamp": "2018-06-01T10:55:41.000Z", - "client": { - "bytes": 0, - "ip": "10.198.37.57", - "mac": "08:00:27:4c:49:e3", - "nat": { - "port": 0 - }, - "packets": 0 - }, "destination": { "bytes": 0, "geo": { @@ -8014,11 +6632,11 @@ "intrusion_detection", "network" ], - "code": "016602600003", + "code": "00003", "duration": 0, "end": "2018-06-01T10:55:41.000Z", "kind": "alert", - "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2018-06-01T10:55:41.000Z", @@ -8035,6 +6653,7 @@ }, "network": { "bytes": 0, + "community_id": "1:Sor11fKmsq4B9ppdtSRcf8VuJ2A=", "packets": 0, "transport": "icmp" }, @@ -8062,26 +6681,6 @@ "id": "16", "ruleset": "1" }, - "server": { - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "nat": { - "port": 0 - }, - "packets": 0 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -8096,9 +6695,9 @@ "icmp_type": "8", "ips_policy_id": "0", "log_component": "Heartbeat", + "log_id": "016602600003", "log_subtype": "Denied", "log_type": "Firewall", - "message_id": "00003", "priority": "Information", "status": "Deny" } @@ -8106,7 +6705,7 @@ "source": { "bytes": 0, "ip": "10.198.37.57", - "mac": "08:00:27:4c:49:e3", + "mac": "08-00-27-4C-49-E3", "nat": { "port": 0 }, @@ -8118,22 +6717,6 @@ }, { "@timestamp": "2020-05-18T14:38:54.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 41528 - }, "destination": { "geo": { "city_name": "Changchun", @@ -8159,9 +6742,9 @@ "intrusion_detection", "network" ], - "code": "020804407002", + "code": "07002", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", "severity": 4, "type": [ @@ -8176,7 +6759,8 @@ "level": "warning" }, "network": { - "transport": "TCP" + "community_id": "1:EDJ4gi03E1uhPJtd+UqqqK9q3CY=", + "transport": "tcp" }, "observer": { "product": "XG", @@ -8197,22 +6781,6 @@ "id": "1881", "name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "category": "server-webapp", @@ -8222,9 +6790,9 @@ "fw_rule_id": "25", "idp_policy_id": "7", "log_component": "Signatures", + "log_id": "020804407002", "log_subtype": "Drop", "log_type": "IDP", - "message_id": "07002", "platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", "priority": "Warning", "rule_priority": "2", @@ -8254,22 +6822,6 @@ }, { "@timestamp": "2020-05-18T14:38:55.000Z", - "client": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 58914 - }, "destination": { "geo": { "city_name": "Changchun", @@ -8295,9 +6847,9 @@ "intrusion_detection", "network" ], - "code": "020804407002", + "code": "07002", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "outcome": "success", "severity": 4, "type": [ @@ -8312,7 +6864,8 @@ "level": "warning" }, "network": { - "transport": "UDP" + "community_id": "1:8vmG13S+Pch17rUwYDWmUvtyF9g=", + "transport": "udp" }, "observer": { "product": "XG", @@ -8333,22 +6886,6 @@ "id": "1616", "name": "PROTOCOL-DNS named version attempt" }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 53 - }, "sophos": { "xg": { "category": "protocol-dns", @@ -8358,39 +6895,17 @@ "fw_rule_id": "23", "idp_policy_id": "7", "log_component": "Signatures", + "log_id": "020804407002", "log_subtype": "Drop", "log_type": "IDP", - "message_id": "07002", "platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", "priority": "Warning", "rule_priority": "1", "src_country_code": "CHN", "target": "Server" } - }, - "source": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 58914 - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2020-05-18T14:38:56.000Z", - "client": { + }, + "source": { "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -8404,8 +6919,14 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "port": 59476 + "port": 58914 }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000Z", "destination": { "geo": { "city_name": "Changchun", @@ -8431,9 +6952,9 @@ "intrusion_detection", "network" ], - "code": "020804407002", + "code": "07002", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", "severity": 4, "type": [ @@ -8448,7 +6969,8 @@ "level": "warning" }, "network": { - "transport": "TCP" + "community_id": "1:cPgLTsEdLZsqgK3HaTsKG6p+oLM=", + "transport": "tcp" }, "observer": { "product": "XG", @@ -8469,22 +6991,6 @@ "id": "53589", "name": "SERVER-WEBAPP DrayTek multiple products command injection attempt" }, - "server": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 80 - }, "sophos": { "xg": { "category": "server-webapp", @@ -8494,9 +7000,9 @@ "fw_rule_id": "25", "idp_policy_id": "7", "log_component": "Signatures", + "log_id": "020804407002", "log_subtype": "Drop", "log_type": "IDP", - "message_id": "07002", "platform": "Linux,Mac,Other,Unix,Windows", "priority": "Warning", "rule_priority": "2", @@ -8526,10 +7032,6 @@ }, { "@timestamp": "2018-05-23T16:20:34.000Z", - "client": { - "ip": "10.0.0.168", - "port": 28938 - }, "destination": { "ip": "10.1.1.234", "port": 25 @@ -8543,9 +7045,9 @@ "intrusion_detection", "network" ], - "code": "020703406001", + "code": "06001", "kind": "alert", - "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", "severity": 4, "type": [ @@ -8560,7 +7062,8 @@ "level": "warning" }, "network": { - "transport": "TCP" + "community_id": "1:U2yQKH6TWkggtH81oE8Yw/5bA30=", + "transport": "tcp" }, "observer": { "product": "XG", @@ -8582,10 +7085,6 @@ "id": "26022", "name": "FILE-PDF EmbeddedFile contained within a PDF" }, - "server": { - "ip": "10.1.1.234", - "port": 25 - }, "sophos": { "xg": { "category": "Malware Communication", @@ -8595,9 +7094,9 @@ "fw_rule_id": "2", "idp_policy_id": "1", "log_component": "Anomaly", + "log_id": "020703406001", "log_subtype": "Detect", "log_type": "IDP", - "message_id": "06001", "platform": "Windows", "priority": "Warning", "rule_priority": "1", @@ -8615,10 +7114,6 @@ }, { "@timestamp": "2018-05-23T16:16:43.000Z", - "client": { - "ip": "10.0.1.31", - "port": 40140 - }, "destination": { "ip": "10.1.0.115", "port": 25 @@ -8632,9 +7127,9 @@ "intrusion_detection", "network" ], - "code": "020704406002", + "code": "06002", "kind": "alert", - "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", "severity": 4, "type": [ @@ -8649,7 +7144,8 @@ "level": "warning" }, "network": { - "transport": "TCP" + "community_id": "1:ZiG8ga1b+BkNsFyuxbnjyDn2xjQ=", + "transport": "tcp" }, "observer": { "product": "XG", @@ -8671,10 +7167,6 @@ "id": "26022", "name": "FILE-PDF EmbeddedFile contained within a PDF" }, - "server": { - "ip": "10.1.0.115", - "port": 25 - }, "sophos": { "xg": { "category": "Malware Communication", @@ -8684,9 +7176,9 @@ "fw_rule_id": "2", "idp_policy_id": "1", "log_component": "Anomaly", + "log_id": "020704406002", "log_subtype": "Drop", "log_type": "IDP", - "message_id": "06002", "platform": "Windows", "priority": "Warning", "rule_priority": "1", @@ -8712,10 +7204,11 @@ "category": [ "network" ], - "code": "138301618041", + "code": "18041", "kind": "event", - "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", + "reason": "eligible", "severity": 6, "type": [ "allowed", @@ -8748,11 +7241,10 @@ "device": "SFW", "device_name": "CR750iNG-XP", "log_component": "Mail", + "log_id": "138301618041", "log_subtype": "Allowed", "log_type": "Sandbox", - "message_id": "18041", - "priority": "Information", - "reason": "eligible" + "priority": "Information" } }, "tags": [ @@ -8761,12 +7253,6 @@ }, { "@timestamp": "2017-01-31T14:52:11.000Z", - "client": { - "ip": "10.198.47.112", - "user": { - "name": "jsmith@iview.com" - } - }, "ecs": { "version": "8.0.0" }, @@ -8776,10 +7262,11 @@ "malware", "network" ], - "code": "138302218042", + "code": "18042", "kind": "alert", - "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", + "reason": "cached malicious", "severity": 2, "type": [ "denied", @@ -8791,6 +7278,7 @@ "sha1": "83cd339302bf5e8ed5240ca6383418089c337a81" }, "mime_type": "application/octet-stream", + "name": "1.exe", "size": 153006 }, "host": { @@ -8823,13 +7311,11 @@ "xg": { "device": "SFW", "device_name": "CR750iNG-XP", - "filename": "1.exe", "log_component": "Mail", + "log_id": "138302218042", "log_subtype": "Denied", "log_type": "Sandbox", - "message_id": "18042", "priority": "Critical", - "reason": "cached malicious", "source": "jsmith@iview.com" } }, @@ -8853,10 +7339,11 @@ "category": [ "network" ], - "code": "136501618041", + "code": "18041", "kind": "event", - "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", + "reason": "eligible", "severity": 6, "type": [ "allowed", @@ -8889,11 +7376,10 @@ "device": "SFW", "device_name": "CR750iNG-XP", "log_component": "Web", + "log_id": "136501618041", "log_subtype": "Allowed", "log_type": "Sandbox", - "message_id": "18041", - "priority": "Information", - "reason": "eligible" + "priority": "Information" } }, "tags": [ @@ -8902,11 +7388,8 @@ }, { "@timestamp": "2017-01-31T15:28:25.000Z", - "client": { - "ip": "10.198.47.112", - "user": { - "name": "jsmith" - } + "destination": { + "ip": "10.198.241.50" }, "ecs": { "version": "8.0.0" @@ -8916,10 +7399,11 @@ "category": [ "network" ], - "code": "136528618043", + "code": "18043", "kind": "event", - "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "outcome": "success", + "reason": "pending", "severity": 6, "type": [ "start", @@ -8931,6 +7415,7 @@ "sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" }, "mime_type": "application/octet-stream", + "name": "19.exe", "size": 153010 }, "host": { @@ -8950,10 +7435,12 @@ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], "hosts": [ - "defaulttest.local" + "defaulttest.local", + "10.198.241.50" ], "ip": [ - "10.198.47.112" + "10.198.47.112", + "10.198.241.50" ], "user": [ "jsmith" @@ -8963,14 +7450,11 @@ "xg": { "device": "SFW", "device_name": "CR750iNG-XP", - "filename": "19.exe", "log_component": "Web", + "log_id": "136528618043", "log_subtype": "Pending", "log_type": "Sandbox", - "message_id": "18043", - "priority": "Information", - "reason": "pending", - "source": "10.198.241.50" + "priority": "Information" } }, "source": { @@ -8981,15 +7465,15 @@ }, "tags": [ "preserve_original_event" - ] + ], + "url": { + "domain": "10.198.241.50" + } }, { "@timestamp": "2017-01-31T15:28:25.000Z", - "client": { - "ip": "10.198.47.112", - "user": { - "name": "jsmith" - } + "destination": { + "ip": "10.198.241.50" }, "ecs": { "version": "8.0.0" @@ -9000,10 +7484,11 @@ "malware", "network" ], - "code": "136502218042", + "code": "18042", "kind": "alert", - "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "outcome": "success", + "reason": "cloud malicious", "severity": 2, "type": [ "denied", @@ -9015,6 +7500,7 @@ "sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" }, "mime_type": "application/octet-stream", + "name": "19.exe", "size": 153010 }, "host": { @@ -9034,10 +7520,12 @@ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], "hosts": [ - "defaulttest.local" + "defaulttest.local", + "10.198.241.50" ], "ip": [ - "10.198.47.112" + "10.198.47.112", + "10.198.241.50" ], "user": [ "jsmith" @@ -9047,14 +7535,11 @@ "xg": { "device": "SFW", "device_name": "CR750iNG-XP", - "filename": "19.exe", "log_component": "Web", + "log_id": "136502218042", "log_subtype": "Denied", "log_type": "Sandbox", - "message_id": "18042", - "priority": "Critical", - "reason": "cloud malicious", - "source": "10.198.241.50" + "priority": "Critical" } }, "source": { @@ -9065,12 +7550,15 @@ }, "tags": [ "preserve_original_event" - ] + ], + "url": { + "domain": "10.198.241.50" + } }, { "@timestamp": "2020-05-18T14:38:36.000Z", - "client": { - "ip": "175.16.199.1" + "destination": { + "domain": "sophostest.com" }, "ecs": { "version": "8.0.0" @@ -9081,10 +7569,11 @@ "malware", "network" ], - "code": "136502218042", + "code": "18042", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", + "reason": "cached malicious", "severity": 2, "type": [ "denied", @@ -9096,6 +7585,7 @@ "sha1": "d910c4a81122c360fe57f67a04999425a65249db" }, "mime_type": "application/pdf", + "name": "SBTestFile1.pdf", "size": 1124 }, "host": { @@ -9115,7 +7605,8 @@ "d910c4a81122c360fe57f67a04999425a65249db" ], "hosts": [ - "defaulttest.local" + "defaulttest.local", + "sophostest.com" ], "ip": [ "175.16.199.1" @@ -9125,27 +7616,14 @@ "xg": { "device": "SFW", "device_name": "CR750iNG-XP", - "filename": "SBTestFile1.pdf", "log_component": "Web", + "log_id": "136502218042", "log_subtype": "Denied", "log_type": "Sandbox", - "message_id": "18042", - "priority": "Critical", - "reason": "cached malicious", - "source": "sophostest.com" + "priority": "Critical" } }, "source": { - "ip": "175.16.199.1" - }, - "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2020-05-18T14:38:46.000Z", - "client": { - "bytes": 1419, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -9160,6 +7638,15 @@ }, "ip": "175.16.199.1" }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "sophostest.com" + } + }, + { + "@timestamp": "2020-05-18T14:38:46.000Z", "destination": { "bytes": 401, "geo": { @@ -9185,9 +7672,10 @@ "intrusion_detection", "network" ], - "code": "075000617071", + "code": "17071", + "duration": 11199000, "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "severity": 6, "type": [ "denied", @@ -9220,22 +7708,6 @@ "175.16.199.1" ] }, - "server": { - "bytes": 401, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "sophos": { "xg": { "cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", @@ -9244,11 +7716,10 @@ "fw_rule_id": "79", "host": "175.16.199.1", "log_component": "Web Application Firewall", + "log_id": "075000617071", "log_type": "WAF", - "message_id": "17071", "priority": "Information", "querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "responsetime": 11199, "server": "webmail.elasticuser.com" } }, @@ -9280,22 +7751,6 @@ }, { "@timestamp": "2020-05-18T14:38:47.000Z", - "client": { - "bytes": 1774, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "destination": { "bytes": 200, "geo": { @@ -9321,9 +7776,10 @@ "intrusion_detection", "network" ], - "code": "075000617071", + "code": "17071", + "duration": 14086000, "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "severity": 6, "type": [ "denied", @@ -9356,22 +7812,6 @@ "175.16.199.1" ] }, - "server": { - "bytes": 200, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "sophos": { "xg": { "contenttype": "application/mapi-http", @@ -9381,11 +7821,10 @@ "fw_rule_id": "79", "host": "175.16.199.1", "log_component": "Web Application Firewall", + "log_id": "075000617071", "log_type": "WAF", - "message_id": "17071", "priority": "Information", "querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "responsetime": 14086, "server": "webmail.elasticuser.com" } }, @@ -9417,13 +7856,6 @@ }, { "@timestamp": "2020-05-19T17:20:29.000Z", - "client": { - "bytes": 510, - "ip": "10.198.235.254", - "user": { - "name": "jsmith" - } - }, "destination": { "bytes": 403, "ip": "10.198.233.48" @@ -9437,10 +7869,12 @@ "intrusion_detection", "network" ], - "code": "075000617071", + "code": "17071", + "duration": 19310000, "kind": "alert", - "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "outcome": "success", + "reason": "Static URL Hardening", "severity": 6, "type": [ "denied", @@ -9477,10 +7911,6 @@ "jsmith" ] }, - "server": { - "bytes": 403, - "ip": "10.198.233.48" - }, "sophos": { "xg": { "contenttype": "text/html", @@ -9490,11 +7920,9 @@ "fw_rule_id": "3", "host": "10.198.235.254", "log_component": "Web Application Firewall", + "log_id": "075000617071", "log_type": "WAF", - "message_id": "17071", "priority": "Information", - "reason": "Static URL Hardening", - "responsetime": 19310, "server": "www.iviewtest.com:8989" } }, @@ -9517,13 +7945,6 @@ }, { "@timestamp": "2020-05-19T18:03:30.000Z", - "client": { - "bytes": 715, - "ip": "10.198.235.254", - "user": { - "name": "jsmith" - } - }, "destination": { "bytes": 403, "ip": "10.198.233.48" @@ -9537,10 +7958,12 @@ "malware", "network" ], - "code": "075000617071", + "code": "17071", + "duration": 403214000, "kind": "alert", - "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "outcome": "success", + "reason": "Antivirus", "severity": 6, "type": [ "denied", @@ -9578,13 +8001,8 @@ "jsmith" ] }, - "server": { - "bytes": 403, - "ip": "10.198.233.48" - }, "sophos": { "xg": { - "PHPSESSID": "jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", "contenttype": "text/html", "cookie": ";", "device": "SFW", @@ -9593,11 +8011,10 @@ "fw_rule_id": "6", "host": "10.198.235.254", "log_component": "Web Application Firewall", + "log_id": "075000617071", "log_type": "WAF", - "message_id": "17071", + "phpsessid": "jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", "priority": "Information", - "reason": "Antivirus", - "responsetime": 403214, "server": "www.iviewtest.com:8990" } }, @@ -9620,22 +8037,6 @@ }, { "@timestamp": "2020-05-20T18:03:31.000Z", - "client": { - "bytes": 295, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "destination": { "bytes": 403, "geo": { @@ -9661,10 +8062,12 @@ "intrusion_detection", "network" ], - "code": "075000617071", + "code": "17071", + "duration": 608000, "kind": "alert", - "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "original": "\u003c30\u003edevice=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "outcome": "success", + "reason": "WAF Anomaly", "severity": 6, "type": [ "denied", @@ -9697,22 +8100,6 @@ "175.16.199.1" ] }, - "server": { - "bytes": 403, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, "sophos": { "xg": { "contenttype": "text/html", @@ -9722,11 +8109,9 @@ "fw_rule_id": "3", "host": "175.16.199.1", "log_component": "Web Application Firewall", + "log_id": "075000617071", "log_type": "WAF", - "message_id": "17071", "priority": "Information", - "reason": "WAF Anomaly", - "responsetime": 608, "sqli": ",", "xss": "): Last Matched Message: Request Missing a User Agent Header" } @@ -9760,9 +8145,9 @@ "version": "8.0.0" }, "event": { - "code": "106025618011", + "code": "18011", "kind": "event", - "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2", "outcome": "success", "severity": 6 }, @@ -9786,13 +8171,13 @@ "sophos": { "xg": { "ap": "A40024A636F7862", - "clients_conn_ssid": "2", + "clients_conn_ssid": 2, "device": "SFW", "device_name": "SG115", "log_component": "Wireless Protection", + "log_id": "106025618011", "log_subtype": "Information", "log_type": "Wireless Protection", - "message_id": "18011", "priority": "Information", "ssid": "SPIDIGO2015" } @@ -9807,9 +8192,9 @@ "version": "8.0.0" }, "event": { - "code": "106025618011", + "code": "18011", "kind": "event", - "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", + "original": "\u003c30\u003edevice=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3", "outcome": "success", "severity": 6 }, @@ -9833,13 +8218,13 @@ "sophos": { "xg": { "ap": "A40024A636F7862", - "clients_conn_ssid": "3", + "clients_conn_ssid": 3, "device": "SFW", "device_name": "SG115", "log_component": "Wireless Protection", + "log_id": "106025618011", "log_subtype": "Information", "log_type": "Wireless Protection", - "message_id": "18011", "priority": "Information", "ssid": "SPIDIGO2015" } @@ -9850,35 +8235,6 @@ }, { "@timestamp": "2021-02-11T13:12:45.000Z", - "client": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 0, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "11:22:33:44:55:66", - "nat": { - "ip": "216.160.83.57", - "port": 0 - }, - "packets": 0, - "port": 33370 - }, "destination": { "as": { "number": 209 @@ -9897,7 +8253,7 @@ "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", - "mac": "66:55:44:33:22:11", + "mac": "66-55-44-33-22-11", "nat": { "ip": "216.160.83.61", "port": 0 @@ -9913,11 +8269,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 0, "end": "2021-02-11T13:12:45.000Z", "kind": "event", - "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "\u003c01\u003eFeb 11 13:12:45 _gateway device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2021-02-11T13:12:45.000Z", @@ -9935,6 +8291,7 @@ }, "network": { "bytes": 0, + "community_id": "1:fLmYp8cKuLtcwaCufNN0d0wZDLY=", "packets": 0, "transport": "tcp" }, @@ -9971,32 +8328,6 @@ "id": "9", "ruleset": "1" }, - "server": { - "as": { - "number": 209 - }, - "bytes": 0, - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "mac": "66:55:44:33:22:11", - "nat": { - "ip": "216.160.83.61", - "port": 0 - }, - "packets": 0, - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -10014,9 +8345,9 @@ "iap": "0", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_country_code": "ESP", "src_zone_type": "WAN", @@ -10044,7 +8375,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "11:22:33:44:55:66", + "mac": "11-22-33-44-55-66", "nat": { "ip": "216.160.83.57", "port": 0 @@ -10058,21 +8389,10 @@ }, { "@timestamp": "2020-06-05T03:45:23.000Z", - "client": { - "bytes": 0, - "ip": "10.146.13.30", - "mac": "00:50:56:99:51:94", - "nat": { - "ip": "10.8.13.110", - "port": 0 - }, - "packets": 0, - "port": 45294 - }, "destination": { "bytes": 0, "ip": "10.8.142.181", - "mac": "00:50:56:99:3D:AC", + "mac": "00-50-56-99-3D-AC", "nat": { "port": 0 }, @@ -10087,11 +8407,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 0, "end": "2020-06-05T03:45:23.000Z", "kind": "event", - "original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", + "original": "\u003c01\u003edevice=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", "outcome": "success", "severity": 6, "start": "2020-06-05T03:45:23.000Z", @@ -10109,6 +8429,7 @@ }, "network": { "bytes": 0, + "community_id": "1:2Z/T6XpjT4zBcdXNDaLCpNp/2uo=", "direction": "outbound", "packets": 0, "transport": "tcp" @@ -10145,16 +8466,6 @@ "id": "5", "ruleset": "1" }, - "server": { - "bytes": 0, - "ip": "10.8.142.181", - "mac": "00:50:56:99:3D:AC", - "nat": { - "port": 0 - }, - "packets": 0, - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "0", @@ -10171,9 +8482,9 @@ "iap": "13", "ips_policy_id": "0", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", - "message_id": "00001", "priority": "Information", "src_zone_type": "LAN", "status": "Allow" @@ -10182,7 +8493,7 @@ "source": { "bytes": 0, "ip": "10.146.13.30", - "mac": "00:50:56:99:51:94", + "mac": "00-50-56-99-51-94", "nat": { "ip": "10.8.13.110", "port": 0 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json index 21cb12e5a51..3c7bf225121 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -2,10 +2,6 @@ "expected": [ { "@timestamp": "2021-11-16T00:28:48.000Z", - "client": { - "ip": "192.168.2.32", - "port": 44740 - }, "destination": { "ip": "192.168.1.15", "port": 22083 @@ -19,9 +15,9 @@ "malware", "network" ], - "code": "054402617051", + "code": "17051", "kind": "alert", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "original": "Nov 16 00:28:48 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", "outcome": "success", "severity": 6, "type": [ @@ -37,6 +33,7 @@ "level": "Information" }, "network": { + "community_id": "1:kdzp9Tsl6hwRu0vniAYiYJbMFVM=", "transport": "udp" }, "observer": { @@ -55,10 +52,6 @@ "192.168.1.15" ] }, - "server": { - "ip": "192.168.1.15", - "port": 22083 - }, "sophos": { "xg": { "app_category": "P2P", @@ -72,10 +65,10 @@ "device_name": "SFW", "fw_rule_id": "12", "log_component": "Application", + "log_id": "054402617051", "log_subtype": "Denied", "log_type": "Content Filtering", "log_version": "1", - "message_id": "17051", "qualifier": "New" } }, @@ -89,11 +82,6 @@ }, { "@timestamp": "2021-11-16T00:28:51.000Z", - "client": { - "bytes": 19591, - "ip": "192.168.2.111", - "port": 50931 - }, "destination": { "as": { "number": 29518, @@ -125,9 +113,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:28:51 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -142,6 +130,9 @@ "level": "Information" }, "network": { + "bytes": 2875676, + "community_id": "1:Csn8PpYg1ZmzntVBK+msiz/odY0=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -159,36 +150,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2856085, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -200,10 +169,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -227,11 +196,6 @@ }, { "@timestamp": "2021-11-16T00:28:57.000Z", - "client": { - "bytes": 12138, - "ip": "192.168.2.111", - "port": 50932 - }, "destination": { "as": { "number": 29518, @@ -263,9 +227,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:28:57 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -280,6 +244,9 @@ "level": "Information" }, "network": { + "bytes": 1720568, + "community_id": "1:SaRGAGzTVUTVBIyokttfH+yRSwI=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -297,36 +264,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 1708430, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -338,10 +283,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -365,11 +310,6 @@ }, { "@timestamp": "2021-11-16T00:29:03.000Z", - "client": { - "bytes": 15419, - "ip": "192.168.2.111", - "port": 50933 - }, "destination": { "as": { "number": 29518, @@ -401,9 +341,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -418,6 +358,9 @@ "level": "Information" }, "network": { + "bytes": 2623624, + "community_id": "1:r8wYU05a+4c2n2poaAKA259mN6Y=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -435,36 +378,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2608205, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -476,10 +397,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -503,11 +424,6 @@ }, { "@timestamp": "2021-11-16T00:29:06.000Z", - "client": { - "bytes": 77, - "ip": "192.168.2.112", - "port": 54640 - }, "destination": { "as": { "number": 29518, @@ -539,9 +455,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "original": "Nov 16 00:29:06 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", "outcome": "success", "severity": 6, "type": [ @@ -561,6 +477,9 @@ "level": "Information" }, "network": { + "bytes": 326, + "community_id": "1:NFfaZD5IoXwz7eyppT22qmM82dY=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -578,36 +497,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "info.cspserver.net" ], "ip": [ "192.168.2.112", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 249, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -620,10 +517,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -647,11 +544,6 @@ }, { "@timestamp": "2021-11-16T00:29:07.000Z", - "client": { - "bytes": 2128, - "ip": "192.168.2.110", - "port": 53392 - }, "destination": { "as": { "number": 29518, @@ -683,9 +575,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", + "original": "Nov 16 00:29:07 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", "outcome": "success", "severity": 6, "type": [ @@ -700,6 +592,9 @@ "level": "Information" }, "network": { + "bytes": 5639, + "community_id": "1:Em3NreZhueZHrTeyBji2blGwOz8=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -717,36 +612,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "array611.prod.do.dsp.mp.microsoft.com" ], "ip": [ "192.168.2.110", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 3511, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -759,10 +632,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -786,11 +659,6 @@ }, { "@timestamp": "2021-11-16T00:29:11.000Z", - "client": { - "bytes": 16674, - "ip": "192.168.2.111", - "port": 50934 - }, "destination": { "as": { "number": 29518, @@ -822,9 +690,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:11 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -839,6 +707,9 @@ "level": "Information" }, "network": { + "bytes": 2585718, + "community_id": "1:DfAz+UzPu5vz4RAwuBfPTAoAVls=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -856,36 +727,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2569044, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -897,10 +746,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -924,11 +773,6 @@ }, { "@timestamp": "2021-11-16T00:29:16.000Z", - "client": { - "bytes": 260, - "ip": "192.168.2.131", - "port": 40230 - }, "destination": { "as": { "number": 29518, @@ -960,9 +804,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:16 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -982,6 +826,9 @@ "level": "Information" }, "network": { + "bytes": 567, + "community_id": "1:Hal1gzFwp7aokU2Q+9oFs90SEGg=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -999,36 +846,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "89.160.20.156" ], "ip": [ "192.168.2.131", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 307, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 8089 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1041,10 +866,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -1070,11 +895,6 @@ }, { "@timestamp": "2021-11-16T00:29:20.000Z", - "client": { - "bytes": 13804, - "ip": "192.168.2.162", - "port": 53421 - }, "destination": { "as": { "number": 29518, @@ -1106,9 +926,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:20 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -1123,6 +943,9 @@ "level": "Information" }, "network": { + "bytes": 47532, + "community_id": "1:o5qH8WRtJT5uGoA1BB1EiDupDNs=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -1140,36 +963,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "mtalk.google.com" ], "ip": [ "192.168.2.162", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 33728, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1181,10 +982,10 @@ "http_category": "Online Chat", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -1208,11 +1009,6 @@ }, { "@timestamp": "2021-11-16T00:29:21.000Z", - "client": { - "bytes": 240, - "ip": "192.168.2.131", - "port": 33541 - }, "destination": { "as": { "number": 29518, @@ -1244,9 +1040,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"89.160.20.156\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:21 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"89.160.20.156\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -1266,6 +1062,9 @@ "level": "Information" }, "network": { + "bytes": 376, + "community_id": "1:wdOIzLMF/28+ndJhxFRgEGCZmKk=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -1283,36 +1082,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "89.160.20.156" ], "ip": [ "192.168.2.131", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 136, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1325,10 +1102,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -1353,11 +1130,6 @@ }, { "@timestamp": "2021-11-16T00:29:22.000Z", - "client": { - "bytes": 253, - "ip": "192.168.2.131", - "port": 46564 - }, "destination": { "as": { "number": 29518, @@ -1389,9 +1161,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"89.160.20.156\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:22 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"89.160.20.156\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -1411,6 +1183,9 @@ "level": "Information" }, "network": { + "bytes": 376, + "community_id": "1:IMfuJjuuYcw4Pk9oPUtwFwRZx0g=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -1428,36 +1203,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "89.160.20.156" ], "ip": [ "192.168.2.131", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 123, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1470,10 +1223,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -1499,11 +1252,6 @@ }, { "@timestamp": "2021-11-16T00:29:22.000Z", - "client": { - "bytes": 10131, - "ip": "192.168.2.111", - "port": 50935 - }, "destination": { "as": { "number": 29518, @@ -1535,9 +1283,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:22 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -1552,6 +1300,9 @@ "level": "Information" }, "network": { + "bytes": 1844208, + "community_id": "1:Ym0Dtp3bBAiwkKiZT1KKaPNn9ok=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -1569,36 +1320,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 1834077, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1610,10 +1339,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -1637,11 +1366,6 @@ }, { "@timestamp": "2021-11-16T00:29:23.000Z", - "client": { - "bytes": 18152, - "ip": "192.168.2.41", - "port": 20492 - }, "destination": { "as": { "number": 29518, @@ -1673,9 +1397,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", + "original": "Nov 16 00:29:23 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", "outcome": "success", "severity": 6, "type": [ @@ -1690,6 +1414,9 @@ "level": "Information" }, "network": { + "bytes": 30042, + "community_id": "1:ZUzwaMPM3XZrfde1TPFMJBJ9mfU=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -1707,36 +1434,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "alive.github.com" ], "ip": [ "192.168.2.41", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 11890, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_category": "Storage and Backup", @@ -1751,10 +1456,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" @@ -1778,11 +1483,6 @@ }, { "@timestamp": "2021-11-16T00:29:26.000Z", - "client": { - "bytes": 1361, - "ip": "192.168.3.36", - "port": 37906 - }, "destination": { "bytes": 3059, "ip": "192.168.2.90", @@ -1796,9 +1496,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "original": "Nov 16 00:29:26 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", "outcome": "success", "severity": 6, "type": [ @@ -1813,6 +1513,9 @@ "level": "Information" }, "network": { + "bytes": 4420, + "community_id": "1:b4+4yl7OfeA6320XWxbvay6xZpM=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -1830,18 +1533,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "192.168.2.90" ], "ip": [ "192.168.3.36", "192.168.2.90" ] }, - "server": { - "bytes": 3059, - "ip": "192.168.2.90", - "port": 8089 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1853,10 +1552,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" @@ -1880,11 +1579,6 @@ }, { "@timestamp": "2021-11-16T00:29:28.000Z", - "client": { - "bytes": 1752, - "ip": "192.168.2.41", - "port": 22569 - }, "destination": { "as": { "number": 29518, @@ -1916,9 +1610,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:28 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -1933,6 +1627,9 @@ "level": "Information" }, "network": { + "bytes": 3308, + "community_id": "1:ifHEt+ajoYqJwU0rCxIJhwMTh8g=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -1950,36 +1647,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "tpcf.feedify.net" ], "ip": [ "192.168.2.41", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 1556, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -1991,10 +1666,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" @@ -2018,11 +1693,6 @@ }, { "@timestamp": "2021-11-16T00:29:28.000Z", - "client": { - "bytes": 12938, - "ip": "192.168.2.111", - "port": 50936 - }, "destination": { "as": { "number": 29518, @@ -2054,9 +1724,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:28 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -2071,6 +1741,9 @@ "level": "Information" }, "network": { + "bytes": 2529742, + "community_id": "1:tC5hSTsnnzxqPFTnZztZbr+/oEg=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -2088,36 +1761,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2516804, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2129,10 +1780,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2156,11 +1807,6 @@ }, { "@timestamp": "2021-11-16T00:29:32.000Z", - "client": { - "bytes": 8057, - "ip": "192.168.2.109", - "port": 49505 - }, "destination": { "as": { "number": 29518, @@ -2192,9 +1838,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:32 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -2209,6 +1855,9 @@ "level": "Information" }, "network": { + "bytes": 9316, + "community_id": "1:TZxGmibZT/JSgzth4BPsQZ/LAIs=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -2226,36 +1875,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "logsink.devices.nest.com" ], "ip": [ "192.168.2.109", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 1259, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2267,10 +1894,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2294,10 +1921,6 @@ }, { "@timestamp": "2021-11-16T00:29:33.000Z", - "client": { - "ip": "192.168.2.32", - "port": 44740 - }, "destination": { "as": { "number": 29518, @@ -2329,9 +1952,9 @@ "malware", "network" ], - "code": "054402617051", + "code": "17051", "kind": "alert", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "original": "Nov 16 00:29:33 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", "outcome": "success", "severity": 6, "type": [ @@ -2347,6 +1970,7 @@ "level": "Information" }, "network": { + "community_id": "1:3wmNcX69U8cF3UDQABQrl1EGreY=", "transport": "udp" }, "observer": { @@ -2365,28 +1989,6 @@ "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 4000 - }, "sophos": { "xg": { "app_category": "P2P", @@ -2400,10 +2002,10 @@ "device_name": "SFW", "fw_rule_id": "12", "log_component": "Application", + "log_id": "054402617051", "log_subtype": "Denied", "log_type": "Content Filtering", "log_version": "1", - "message_id": "17051", "qualifier": "New" } }, @@ -2417,11 +2019,6 @@ }, { "@timestamp": "2021-11-16T00:29:36.000Z", - "client": { - "bytes": 77, - "ip": "192.168.2.112", - "port": 39118 - }, "destination": { "as": { "number": 29518, @@ -2453,9 +2050,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "original": "Nov 16 00:29:36 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", "outcome": "success", "severity": 6, "type": [ @@ -2475,6 +2072,9 @@ "level": "Information" }, "network": { + "bytes": 326, + "community_id": "1:nvxXlOv92Mclh81dZCy/k8fkekM=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -2492,36 +2092,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "info.cspserver.net" ], "ip": [ "192.168.2.112", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 249, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2534,10 +2112,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2561,11 +2139,6 @@ }, { "@timestamp": "2021-11-16T00:29:39.000Z", - "client": { - "bytes": 1157, - "ip": "192.168.2.102", - "port": 49030 - }, "destination": { "as": { "number": 29518, @@ -2597,9 +2170,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:39 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -2614,6 +2187,9 @@ "level": "Information" }, "network": { + "bytes": 5249, + "community_id": "1:bO6b1A3RXqnj2zV2VX1bqxAcsts=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -2631,36 +2207,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "api.smartthings.com" ], "ip": [ "192.168.2.102", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 4092, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2672,10 +2226,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2699,11 +2253,6 @@ }, { "@timestamp": "2021-11-16T00:29:40.000Z", - "client": { - "bytes": 474, - "ip": "192.168.2.105", - "port": 52457 - }, "destination": { "as": { "number": 29518, @@ -2735,9 +2284,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:40 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -2757,6 +2306,9 @@ "level": "Information" }, "network": { + "bytes": 557, + "community_id": "1:oCU3Sbp5u2nmx7vYo7nl7F2Tmxs=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -2774,36 +2326,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "connectivitycheck.gstatic.com" ], "ip": [ "192.168.2.105", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 83, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2815,10 +2345,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2842,11 +2372,6 @@ }, { "@timestamp": "2021-11-16T00:29:40.000Z", - "client": { - "bytes": 310, - "ip": "192.168.2.123", - "port": 35596 - }, "destination": { "as": { "number": 29518, @@ -2878,9 +2403,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:40 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -2900,6 +2425,9 @@ "level": "Information" }, "network": { + "bytes": 393, + "community_id": "1:7i5wjJVQDAYCaAxdNaVm9UWuJok=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -2917,36 +2445,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "connectivitycheck.gstatic.com" ], "ip": [ "192.168.2.123", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 83, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -2958,10 +2464,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -2985,11 +2491,6 @@ }, { "@timestamp": "2021-11-16T00:29:40.000Z", - "client": { - "bytes": 2182, - "ip": "192.168.2.41", - "port": 22465 - }, "destination": { "as": { "number": 29518, @@ -3021,9 +2522,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:40 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -3038,6 +2539,9 @@ "level": "Information" }, "network": { + "bytes": 8413, + "community_id": "1:njcJcH1c8px88X8KTvOM3xA44Yc=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3055,36 +2559,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "realtime.www.linkedin.com" ], "ip": [ "192.168.2.41", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 6231, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3096,10 +2578,10 @@ "http_category": "Business Networking", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" @@ -3123,11 +2605,6 @@ }, { "@timestamp": "2021-11-16T00:29:42.000Z", - "client": { - "bytes": 91, - "ip": "192.168.3.36", - "port": 56126 - }, "destination": { "as": { "number": 29518, @@ -3159,9 +2636,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", + "original": "Nov 16 00:29:42 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", "outcome": "success", "severity": 6, "type": [ @@ -3181,6 +2658,9 @@ "level": "Information" }, "network": { + "bytes": 361, + "community_id": "1:G6+JjmOD5juGo3cckqBxcyawF3U=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -3198,36 +2678,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "checkip.dyndns.org" ], "ip": [ "192.168.3.36", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 270, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3240,10 +2698,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" @@ -3267,11 +2725,6 @@ }, { "@timestamp": "2021-11-16T00:29:43.000Z", - "client": { - "bytes": 17223, - "ip": "192.168.2.111", - "port": 50937 - }, "destination": { "as": { "number": 29518, @@ -3303,9 +2756,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:43 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -3320,6 +2773,9 @@ "level": "Information" }, "network": { + "bytes": 2587116, + "community_id": "1:ouwjBAQoT5GbKVqXBJzLuynAOBo=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3337,36 +2793,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2569893, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3378,10 +2812,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -3405,11 +2839,6 @@ }, { "@timestamp": "2021-11-16T00:29:43.000Z", - "client": { - "bytes": 3319, - "ip": "192.168.2.106", - "port": 63937 - }, "destination": { "as": { "number": 29518, @@ -3441,9 +2870,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", + "original": "Nov 16 00:29:43 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", "outcome": "success", "severity": 6, "type": [ @@ -3458,6 +2887,9 @@ "level": "Information" }, "network": { + "bytes": 8962, + "community_id": "1:Oij/CG07YgFeCicPMgmgSjK/C5k=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3475,36 +2907,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "device-metrics-us-2.amazon.com" ], "ip": [ "192.168.2.106", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 5643, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_category": "General Internet", @@ -3519,10 +2929,10 @@ "http_category": "Online Shopping", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -3546,11 +2956,6 @@ }, { "@timestamp": "2021-11-16T00:29:44.000Z", - "client": { - "bytes": 2144, - "ip": "192.168.2.32", - "port": 59357 - }, "destination": { "as": { "number": 29518, @@ -3582,9 +2987,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:44 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -3599,6 +3004,9 @@ "level": "Information" }, "network": { + "bytes": 6530, + "community_id": "1:OmT3TnrmUQhfTkabdSWeuBAAwrs=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3616,36 +3024,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "settings-win.data.microsoft.com" ], "ip": [ "192.168.2.32", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 4386, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3658,10 +3044,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -3685,11 +3071,6 @@ }, { "@timestamp": "2021-11-16T00:29:47.000Z", - "client": { - "bytes": 1839, - "ip": "192.168.2.156", - "port": 62996 - }, "destination": { "as": { "number": 29518, @@ -3721,9 +3102,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:47 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -3738,6 +3119,9 @@ "level": "Information" }, "network": { + "bytes": 3885, + "community_id": "1:jg/7mplGAu9Q4EVpwH0DkGcByjI=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3755,36 +3139,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "clientservices.googleapis.com" ], "ip": [ "192.168.2.156", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2046, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3796,10 +3158,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -3823,11 +3185,6 @@ }, { "@timestamp": "2021-11-16T00:29:47.000Z", - "client": { - "bytes": 542, - "ip": "192.168.3.36", - "port": 37912 - }, "destination": { "bytes": 2376, "ip": "192.168.2.90", @@ -3841,9 +3198,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "original": "Nov 16 00:29:47 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", "outcome": "success", "severity": 6, "type": [ @@ -3858,6 +3215,9 @@ "level": "Information" }, "network": { + "bytes": 2918, + "community_id": "1:0WYJly6XHDqS0yWPCrzcHe1jBqM=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3875,18 +3235,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "192.168.2.90" ], "ip": [ "192.168.3.36", "192.168.2.90" ] }, - "server": { - "bytes": 2376, - "ip": "192.168.2.90", - "port": 8089 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -3898,10 +3254,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "DMZ", "used_quota": "0", "web_policy_id": "4" @@ -3925,11 +3281,6 @@ }, { "@timestamp": "2021-11-16T00:29:56.000Z", - "client": { - "bytes": 2680, - "ip": "192.168.2.143", - "port": 49274 - }, "destination": { "as": { "number": 29518, @@ -3961,9 +3312,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "original": "Nov 16 00:29:56 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", "outcome": "success", "severity": 6, "type": [ @@ -3978,6 +3329,9 @@ "level": "Information" }, "network": { + "bytes": 8703, + "community_id": "1:nJI8LF1a2jhGY76f/L27k3G3SBQ=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -3995,36 +3349,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "api.thetake.com" ], "ip": [ "192.168.2.143", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 6023, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4036,10 +3368,10 @@ "http_category": "Entertainment", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4063,11 +3395,6 @@ }, { "@timestamp": "2021-11-16T00:29:57.000Z", - "client": { - "bytes": 1719, - "ip": "192.168.2.105", - "port": 35672 - }, "destination": { "as": { "number": 29518, @@ -4099,9 +3426,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:29:57 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4116,6 +3443,9 @@ "level": "Information" }, "network": { + "bytes": 10252, + "community_id": "1:uSSPHND/Vp9W7pKl2m1uZU8LmLs=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4133,36 +3463,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "tools.google.com" ], "ip": [ "192.168.2.105", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 8533, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4174,10 +3482,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4201,11 +3509,6 @@ }, { "@timestamp": "2021-11-16T00:30:00.000Z", - "client": { - "bytes": 25597, - "ip": "192.168.2.111", - "port": 50938 - }, "destination": { "as": { "number": 29518, @@ -4237,9 +3540,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:00 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4254,6 +3557,9 @@ "level": "Information" }, "network": { + "bytes": 4949198, + "community_id": "1:tTZ0XxfcF7iKHiWXhEnoSUJZWb0=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4271,36 +3577,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 4923601, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4312,10 +3596,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4339,11 +3623,6 @@ }, { "@timestamp": "2021-11-16T00:30:01.000Z", - "client": { - "bytes": 10198, - "ip": "192.168.2.107", - "port": 53571 - }, "destination": { "as": { "number": 29518, @@ -4375,9 +3654,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4392,6 +3671,9 @@ "level": "Information" }, "network": { + "bytes": 17454, + "community_id": "1:6yNy9ed6l5ELi1bDp+zYjq2ozpI=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4409,36 +3691,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "edge.microsoft.com" ], "ip": [ "192.168.2.107", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 7256, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4451,10 +3711,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4478,11 +3738,6 @@ }, { "@timestamp": "2021-11-16T00:30:02.000Z", - "client": { - "bytes": 4395, - "ip": "192.168.2.139", - "port": 49726 - }, "destination": { "as": { "number": 29518, @@ -4514,9 +3769,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:02 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4531,6 +3786,9 @@ "level": "Information" }, "network": { + "bytes": 6523, + "community_id": "1:wQdiwpAkRmUlkLnveMgS6kVyLNM=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4548,36 +3806,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "clients4.google.com" ], "ip": [ "192.168.2.139", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2128, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4589,10 +3825,10 @@ "http_category": "Search Engines", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4616,11 +3852,6 @@ }, { "@timestamp": "2021-11-16T00:30:03.000Z", - "client": { - "bytes": 1697, - "ip": "192.168.2.107", - "port": 53600 - }, "destination": { "as": { "number": 29518, @@ -4652,9 +3883,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4669,6 +3900,9 @@ "level": "Information" }, "network": { + "bytes": 6105, + "community_id": "1:V5Bs1Im2lTXbCskif/bQcBVYVZ8=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4686,36 +3920,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "settings-win.data.microsoft.com" ], "ip": [ "192.168.2.107", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 4408, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4728,10 +3940,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4755,11 +3967,6 @@ }, { "@timestamp": "2021-11-16T00:30:06.000Z", - "client": { - "bytes": 77, - "ip": "192.168.2.112", - "port": 39119 - }, "destination": { "as": { "number": 29518, @@ -4791,9 +3998,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "original": "Nov 16 00:30:06 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", "outcome": "success", "severity": 6, "type": [ @@ -4813,6 +4020,9 @@ "level": "Information" }, "network": { + "bytes": 326, + "community_id": "1:38iVHUKEXPkoRvRdtsbD6EFj5eM=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -4830,36 +4040,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "info.cspserver.net" ], "ip": [ "192.168.2.112", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 249, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -4872,10 +4060,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -4899,11 +4087,6 @@ }, { "@timestamp": "2021-11-16T00:30:11.000Z", - "client": { - "bytes": 1030, - "ip": "192.168.2.110", - "port": 53588 - }, "destination": { "as": { "number": 29518, @@ -4935,9 +4118,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:11 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -4952,6 +4135,9 @@ "level": "Information" }, "network": { + "bytes": 7800, + "community_id": "1:tKVVyY9MtZ9/QiLuhEJEIqyQMjE=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -4969,36 +4155,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "catalog.gamepass.com" ], "ip": [ "192.168.2.110", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 6770, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5010,10 +4174,10 @@ "http_category": "Games", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5037,11 +4201,6 @@ }, { "@timestamp": "2021-11-16T00:30:16.000Z", - "client": { - "bytes": 7011, - "ip": "192.168.2.105", - "port": 52580 - }, "destination": { "as": { "number": 29518, @@ -5073,9 +4232,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:16 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5090,6 +4249,9 @@ "level": "Information" }, "network": { + "bytes": 9859, + "community_id": "1:hpJMbtagI+XfLBMR60ZOsKVog4I=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5107,36 +4269,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "clients4.google.com" ], "ip": [ "192.168.2.105", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2848, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5148,10 +4288,10 @@ "http_category": "Search Engines", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5175,11 +4315,6 @@ }, { "@timestamp": "2021-11-16T00:30:25.000Z", - "client": { - "bytes": 3093, - "ip": "192.168.2.126", - "port": 53942 - }, "destination": { "as": { "number": 29518, @@ -5211,9 +4346,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:25 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5228,6 +4363,9 @@ "level": "Information" }, "network": { + "bytes": 66581, + "community_id": "1:xyM0JAnAhEOoDTcUtoFskKQlZbY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5245,36 +4383,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "www.googleapis.com" ], "ip": [ "192.168.2.126", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 63488, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5286,10 +4402,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5313,11 +4429,6 @@ }, { "@timestamp": "2021-11-16T00:30:25.000Z", - "client": { - "bytes": 22415, - "ip": "192.168.2.126", - "port": 48938 - }, "destination": { "as": { "number": 29518, @@ -5349,9 +4460,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:25 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5366,6 +4477,9 @@ "level": "Information" }, "network": { + "bytes": 29935, + "community_id": "1:l06PvpxXevriVsr4Wwq+3YnETGw=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5383,36 +4497,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "play.googleapis.com" ], "ip": [ "192.168.2.126", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 7520, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5424,10 +4516,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5451,11 +4543,6 @@ }, { "@timestamp": "2021-11-16T00:30:25.000Z", - "client": { - "bytes": 9159, - "ip": "192.168.2.126", - "port": 53450 - }, "destination": { "as": { "number": 29518, @@ -5487,9 +4574,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:25 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5504,6 +4591,9 @@ "level": "Information" }, "network": { + "bytes": 18726, + "community_id": "1:u/bDzWXQgw3RNw0yiOMoLWMIp+s=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5514,42 +4604,20 @@ "ingress": { "zone": "LAN" }, - "product": "XG", - "serial_number": "C01001BQC8TFFFF", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "defaulttest.local" - ], - "ip": [ - "192.168.2.126", - "89.160.20.156" - ] - }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 9567, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local", + "android.googleapis.com" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] }, "sophos": { "xg": { @@ -5562,10 +4630,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5589,11 +4657,6 @@ }, { "@timestamp": "2021-11-16T00:30:27.000Z", - "client": { - "bytes": 925, - "ip": "192.168.2.156", - "port": 62998 - }, "destination": { "as": { "number": 29518, @@ -5625,9 +4688,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "original": "Nov 16 00:30:27 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", "outcome": "success", "severity": 6, "type": [ @@ -5642,6 +4705,9 @@ "level": "Information" }, "network": { + "bytes": 7178, + "community_id": "1:5KURlVPtYgqsl8ACKLRT0wBRd14=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5659,36 +4725,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "discord.com" ], "ip": [ "192.168.2.156", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 6253, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5700,10 +4744,10 @@ "http_category": "Online Chat", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5727,11 +4771,6 @@ }, { "@timestamp": "2021-11-16T00:30:28.000Z", - "client": { - "bytes": 260, - "ip": "192.168.2.131", - "port": 40233 - }, "destination": { "as": { "number": 29518, @@ -5763,9 +4802,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:28 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5785,6 +4824,9 @@ "level": "Information" }, "network": { + "bytes": 567, + "community_id": "1:wQwriCL7OE4F2h+gqrfXTuUknN4=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -5802,36 +4844,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "89.160.20.156" ], "ip": [ "192.168.2.131", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 307, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 8089 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5844,10 +4864,10 @@ "http_category": "IPAddress", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -5873,11 +4893,6 @@ }, { "@timestamp": "2021-11-16T00:30:28.000Z", - "client": { - "bytes": 1004, - "ip": "192.168.2.41", - "port": 22567 - }, "destination": { "as": { "number": 29518, @@ -5909,9 +4924,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:28 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -5926,6 +4941,9 @@ "level": "Information" }, "network": { + "bytes": 1588, + "community_id": "1:CkxvzcytIwajs1RyWu8D+qV5PHY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -5943,36 +4961,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "backend-ssp.adstudio.cloud" ], "ip": [ "192.168.2.41", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 584, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -5984,10 +4980,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" @@ -6011,11 +5007,6 @@ }, { "@timestamp": "2021-11-16T00:30:30.000Z", - "client": { - "bytes": 2417, - "ip": "192.168.2.126", - "port": 53458 - }, "destination": { "as": { "number": 29518, @@ -6047,9 +5038,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:30 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -6064,6 +5055,9 @@ "level": "Information" }, "network": { + "bytes": 5024, + "community_id": "1:ebMtCKRgvcoXWYZPPXD9yyT2WKY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -6081,36 +5075,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "android.googleapis.com" ], "ip": [ "192.168.2.126", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2607, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6122,10 +5094,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -6149,11 +5121,6 @@ }, { "@timestamp": "2021-11-16T00:30:30.000Z", - "client": { - "bytes": 36759, - "ip": "192.168.2.111", - "port": 50939 - }, "destination": { "as": { "number": 29518, @@ -6185,9 +5152,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:30 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -6202,6 +5169,9 @@ "level": "Information" }, "network": { + "bytes": 5116858, + "community_id": "1:57P2htiQff6QFSiKHEkd7U/xk88=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -6219,36 +5189,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "hls14.asiancdn.net" ], "ip": [ "192.168.2.111", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 5080099, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6260,10 +5208,10 @@ "http_category": "Content Delivery", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -6287,11 +5235,6 @@ }, { "@timestamp": "2021-11-16T00:30:33.000Z", - "client": { - "bytes": 37822, - "ip": "192.168.2.119", - "port": 59478 - }, "destination": { "as": { "number": 29518, @@ -6323,9 +5266,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:33 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -6340,6 +5283,9 @@ "level": "Information" }, "network": { + "bytes": 48374, + "community_id": "1:K65zgDsaOPy5gcKEczvNQTFLBKo=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -6357,36 +5303,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "vortex.data.microsoft.com" ], "ip": [ "192.168.2.119", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 10552, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6399,10 +5323,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -6426,11 +5350,6 @@ }, { "@timestamp": "2021-11-16T00:30:36.000Z", - "client": { - "bytes": 77, - "ip": "192.168.2.112", - "port": 55510 - }, "destination": { "as": { "number": 29518, @@ -6462,9 +5381,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "original": "Nov 16 00:30:36 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", "outcome": "success", "severity": 6, "type": [ @@ -6484,6 +5403,9 @@ "level": "Information" }, "network": { + "bytes": 326, + "community_id": "1:cKu0fO92LPrHo3C5HNNeSOgH9FQ=", + "protocol": "http", "transport": "tcp" }, "observer": { @@ -6501,36 +5423,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "info.cspserver.net" ], "ip": [ "192.168.2.112", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 249, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 80 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6543,10 +5443,10 @@ "http_category": "General Business", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" @@ -6570,11 +5470,6 @@ }, { "@timestamp": "2021-11-16T00:30:36.000Z", - "client": { - "bytes": 7587, - "ip": "192.168.2.41", - "port": 22570 - }, "destination": { "as": { "number": 29518, @@ -6606,9 +5501,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:36 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -6623,6 +5518,9 @@ "level": "Information" }, "network": { + "bytes": 9220, + "community_id": "1:LeC8tH7WeQ1OjZD9lcdxz/yeOTY=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -6640,36 +5538,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "us-trc-events.taboola.com" ], "ip": [ "192.168.2.41", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 1633, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6681,10 +5557,10 @@ "http_category": "Advertisements", "http_category_type": "Unproductive", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "1" @@ -6708,11 +5584,6 @@ }, { "@timestamp": "2021-11-16T00:30:38.000Z", - "client": { - "bytes": 45093, - "ip": "192.168.2.126", - "port": 50210 - }, "destination": { "as": { "number": 29518, @@ -6744,9 +5615,9 @@ "category": [ "network" ], - "code": "050901616001", + "code": "16001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "original": "Nov 16 00:30:38 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", "outcome": "success", "severity": 6, "type": [ @@ -6761,6 +5632,9 @@ "level": "Information" }, "network": { + "bytes": 47994, + "community_id": "1:BBzQYyuzGgeNKM/0H3MJeMFis4I=", + "protocol": "https", "transport": "tcp" }, "observer": { @@ -6778,36 +5652,14 @@ }, "related": { "hosts": [ - "defaulttest.local" + "defaulttest.local", + "deviceintegritytokens-pa.googleapis.com" ], "ip": [ "192.168.2.126", "89.160.20.156" ] }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2901, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_is_cloud": "FALSE", @@ -6819,10 +5671,10 @@ "http_category": "Information Technology", "http_category_type": "Acceptable", "log_component": "HTTP", + "log_id": "050901616001", "log_subtype": "Allowed", "log_type": "Content Filtering", "log_version": "1", - "message_id": "16001", "src_zone_type": "LAN", "used_quota": "0", "web_policy_id": "12" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json index 544918ba4c8..ad2634d938d 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json @@ -2,16 +2,13 @@ "expected": [ { "@timestamp": "2021-11-16T02:52:23.000Z", - "client": { - "mac": "00:11:d9:a0:19:11" - }, "ecs": { "version": "8.0.0" }, "event": { - "code": "063411660020", + "code": "60020", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", + "original": "Nov 16 02:52:23 sophos device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", "severity": 6 }, "host": { @@ -39,17 +36,17 @@ "device_name": "SFW", "lease_time": "345600", "log_component": "DHCP Server", + "log_id": "063411660020", "log_subtype": "System", "log_type": "Event", "log_version": "1", - "message_id": "60020", "reported_host": "TIVO-846001190AE52F2", "reported_ip": "192.168.2.131", "status": "Renew" } }, "source": { - "mac": "00:11:d9:a0:19:11" + "mac": "00-11-D9-A0-19-11" }, "tags": [ "preserve_original_event" @@ -57,16 +54,13 @@ }, { "@timestamp": "2021-11-16T02:57:56.000Z", - "client": { - "mac": "88:57:1d:2d:FF:db" - }, "ecs": { "version": "8.0.0" }, "event": { - "code": "063411660020", + "code": "60020", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "original": "Nov 16 02:57:56 sophos device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", "severity": 6 }, "host": { @@ -94,17 +88,17 @@ "device_name": "SFW", "lease_time": "345600", "log_component": "DHCP Server", + "log_id": "063411660020", "log_subtype": "System", "log_type": "Event", "log_version": "1", - "message_id": "60020", "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", "reported_ip": "192.168.2.112", "status": "Renew" } }, "source": { - "mac": "88:57:1d:2d:FF:db" + "mac": "88-57-1D-2D-FF-DB" }, "tags": [ "preserve_original_event" @@ -112,16 +106,13 @@ }, { "@timestamp": "2021-11-16T03:04:08.000Z", - "client": { - "mac": "88:57:1d:2d:FF:db" - }, "ecs": { "version": "8.0.0" }, "event": { - "code": "063411660020", + "code": "60020", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "original": "Nov 16 03:04:08 sophos device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", "severity": 6 }, "host": { @@ -149,17 +140,17 @@ "device_name": "SFW", "lease_time": "345600", "log_component": "DHCP Server", + "log_id": "063411660020", "log_subtype": "System", "log_type": "Event", "log_version": "1", - "message_id": "60020", "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", "reported_ip": "192.168.2.112", "status": "Renew" } }, "source": { - "mac": "88:57:1d:2d:FF:db" + "mac": "88-57-1D-2D-FF-DB" }, "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json index f07f12ec861..bfd1455c531 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -2,14 +2,6 @@ "expected": [ { "@timestamp": "2021-11-16T00:25:00.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", - "nat": { - "ip": "192.168.1.2" - }, - "port": 50875 - }, "destination": { "as": { "number": 29518, @@ -30,7 +22,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -41,9 +33,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:00 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -54,6 +46,7 @@ "level": "Information" }, "network": { + "community_id": "1:+LLtOJSFMre1dW9EhupSeKW7YAo=", "direction": "outbound", "transport": "tcp" }, @@ -89,29 +82,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -127,10 +97,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -138,7 +108,7 @@ }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", + "mac": "00-26-37-EE-47-20", "nat": { "ip": "192.168.1.2" }, @@ -150,14 +120,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "ip": "192.168.2.162", - "mac": "A4:FC:77:2E:BD:6F", - "nat": { - "ip": "192.168.1.2" - }, - "port": 56257 - }, "destination": { "as": { "number": 29518, @@ -178,7 +140,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -189,9 +151,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -202,6 +164,7 @@ "level": "Information" }, "network": { + "community_id": "1:HtDb/A7Cawt4bTv/+4DzHoiT21Q=", "direction": "outbound", "transport": "tcp" }, @@ -237,29 +200,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -275,10 +215,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -286,7 +226,7 @@ }, "source": { "ip": "192.168.2.162", - "mac": "A4:FC:77:2E:BD:6F", + "mac": "A4-FC-77-2E-BD-6F", "nat": { "ip": "192.168.1.2" }, @@ -298,14 +238,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", - "nat": { - "ip": "192.168.1.2" - }, - "port": 50876 - }, "destination": { "as": { "number": 29518, @@ -326,7 +258,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -337,9 +269,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -350,6 +282,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZDWJNXIpvgXVte2hLgQgmTbXHlM=", "direction": "outbound", "transport": "tcp" }, @@ -385,29 +318,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -423,10 +333,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -434,7 +344,7 @@ }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", + "mac": "00-26-37-EE-47-20", "nat": { "ip": "192.168.1.2" }, @@ -446,15 +356,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -476,7 +377,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -487,11 +388,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 31000000000, "end": "2021-11-16T00:25:32.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:01.000Z" @@ -504,6 +405,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -540,30 +442,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -580,10 +458,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -592,7 +470,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -604,11 +482,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", - "port": 61709 - }, "destination": { "as": { "number": 29518, @@ -639,9 +512,9 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -652,6 +525,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZnwausNTwoW4P/8eFfBQhRAT3HA=", "transport": "udp" }, "observer": { @@ -678,28 +552,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -712,17 +564,17 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", "log_version": "1", - "message_id": "00002", "qualifier": "New", "web_policy_id": "12" } }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", + "mac": "00-26-37-EE-47-20", "port": 61709 }, "tags": [ @@ -731,11 +583,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", - "port": 61709 - }, "destination": { "as": { "number": 29518, @@ -766,9 +613,9 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -779,6 +626,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZnwausNTwoW4P/8eFfBQhRAT3HA=", "transport": "udp" }, "observer": { @@ -805,28 +653,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -839,17 +665,17 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", "log_version": "1", - "message_id": "00002", "qualifier": "New", "web_policy_id": "12" } }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", + "mac": "00-26-37-EE-47-20", "port": 61709 }, "tags": [ @@ -858,13 +684,6 @@ }, { "@timestamp": "2021-11-16T00:25:01.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -885,7 +704,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -895,9 +714,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:01 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -908,6 +727,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -943,28 +763,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -981,10 +779,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -992,7 +790,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -1003,15 +801,6 @@ }, { "@timestamp": "2021-11-16T00:25:02.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -1033,7 +822,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -1044,11 +833,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 39000000000, "end": "2021-11-16T00:25:41.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:02 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:02.000Z" @@ -1061,6 +850,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -1097,30 +887,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1137,10 +903,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -1149,7 +915,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -1161,11 +927,6 @@ }, { "@timestamp": "2021-11-16T00:25:02.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", - "port": 61709 - }, "destination": { "as": { "number": 29518, @@ -1196,9 +957,9 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "original": "Nov 16 00:25:02 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -1209,6 +970,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZnwausNTwoW4P/8eFfBQhRAT3HA=", "transport": "udp" }, "observer": { @@ -1235,28 +997,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1269,17 +1009,17 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", "log_version": "1", - "message_id": "00002", "qualifier": "New", "web_policy_id": "12" } }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", + "mac": "00-26-37-EE-47-20", "port": 61709 }, "tags": [ @@ -1288,13 +1028,6 @@ }, { "@timestamp": "2021-11-16T00:25:02.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -1315,7 +1048,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -1325,9 +1058,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:02 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -1338,6 +1071,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -1373,28 +1107,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1411,10 +1123,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -1422,7 +1134,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -1433,17 +1145,9 @@ }, { "@timestamp": "2021-11-16T00:25:03.000Z", - "client": { - "ip": "192.168.2.32", - "mac": "00:50:56:9F:CD:68", - "nat": { - "ip": "192.168.1.2" - }, - "port": 59346 - }, "destination": { "ip": "192.168.1.15", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 22083 }, "ecs": { @@ -1454,9 +1158,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -1467,6 +1171,7 @@ "level": "Information" }, "network": { + "community_id": "1:/DV0QfCbNT+zQ6Uw/uFj2gAwauc=", "direction": "outbound", "transport": "tcp" }, @@ -1502,11 +1207,6 @@ "rule": { "id": "12" }, - "server": { - "ip": "192.168.1.15", - "mac": "00:50:56:9F:39:33", - "port": 22083 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1522,10 +1222,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -1533,7 +1233,7 @@ }, "source": { "ip": "192.168.2.32", - "mac": "00:50:56:9F:CD:68", + "mac": "00-50-56-9F-CD-68", "nat": { "ip": "192.168.1.2" }, @@ -1545,17 +1245,9 @@ }, { "@timestamp": "2021-11-16T00:25:03.000Z", - "client": { - "ip": "192.168.2.32", - "mac": "00:50:56:9F:CD:68", - "nat": { - "ip": "192.168.1.2" - }, - "port": 59347 - }, "destination": { "ip": "192.168.1.15", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 22083 }, "ecs": { @@ -1566,9 +1258,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -1579,6 +1271,7 @@ "level": "Information" }, "network": { + "community_id": "1:Rwm1xOLBlSEM2BW8ZhsUHQI5aKg=", "direction": "outbound", "transport": "tcp" }, @@ -1614,11 +1307,6 @@ "rule": { "id": "12" }, - "server": { - "ip": "192.168.1.15", - "mac": "00:50:56:9F:39:33", - "port": 22083 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1634,10 +1322,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -1645,7 +1333,7 @@ }, "source": { "ip": "192.168.2.32", - "mac": "00:50:56:9F:CD:68", + "mac": "00-50-56-9F-CD-68", "nat": { "ip": "192.168.1.2" }, @@ -1657,11 +1345,6 @@ }, { "@timestamp": "2021-11-16T00:25:03.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", - "port": 61709 - }, "destination": { "as": { "number": 29518, @@ -1692,9 +1375,9 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "original": "Nov 16 00:25:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -1705,6 +1388,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZnwausNTwoW4P/8eFfBQhRAT3HA=", "transport": "udp" }, "observer": { @@ -1731,28 +1415,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1765,17 +1427,17 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", "log_version": "1", - "message_id": "00002", "qualifier": "New", "web_policy_id": "12" } }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", + "mac": "00-26-37-EE-47-20", "port": 61709 }, "tags": [ @@ -1784,15 +1446,6 @@ }, { "@timestamp": "2021-11-16T00:25:03.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -1814,7 +1467,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -1825,11 +1478,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 36000000000, "end": "2021-11-16T00:25:39.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:03.000Z" @@ -1842,6 +1495,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -1878,30 +1532,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -1918,10 +1548,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -1930,7 +1560,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -1942,13 +1572,6 @@ }, { "@timestamp": "2021-11-16T00:25:03.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -1969,7 +1592,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -1979,9 +1602,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:03 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -1992,6 +1615,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -2027,28 +1651,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -2065,10 +1667,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2076,7 +1678,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -2087,15 +1689,6 @@ }, { "@timestamp": "2021-11-16T00:25:04.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -2117,7 +1710,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -2128,11 +1721,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 35000000000, "end": "2021-11-16T00:25:39.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:04 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:04.000Z" @@ -2145,6 +1738,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -2181,30 +1775,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -2221,10 +1791,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2233,7 +1803,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -2245,13 +1815,6 @@ }, { "@timestamp": "2021-11-16T00:25:04.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -2272,7 +1835,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -2282,9 +1845,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:04 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -2295,6 +1858,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -2330,28 +1894,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -2368,10 +1910,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2379,7 +1921,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -2390,16 +1932,6 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "bytes": 216, - "ip": "192.168.2.122", - "mac": "2C:AA:8E:2A:5C:23", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 4, - "port": 41242 - }, "destination": { "as": { "number": 29518, @@ -2421,7 +1953,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2, "port": 80 }, @@ -2433,11 +1965,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 18000000000, "end": "2021-11-16T00:25:23.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:05 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:05.000Z" @@ -2450,6 +1982,7 @@ }, "network": { "bytes": 328, + "community_id": "1:yE0jysLuIr/yu8+Y6xOfy6hOQ9o=", "direction": "outbound", "packets": 6, "transport": "tcp" @@ -2486,31 +2019,6 @@ "rule": { "id": "19" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 112, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2, - "port": 80 - }, "sophos": { "xg": { "app_filter_policy_id": "8", @@ -2526,10 +2034,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "5", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2538,7 +2046,7 @@ "source": { "bytes": 216, "ip": "192.168.2.122", - "mac": "2C:AA:8E:2A:5C:23", + "mac": "2C-AA-8E-2A-5C-23", "nat": { "ip": "192.168.1.2" }, @@ -2551,11 +2059,6 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", - "port": 61709 - }, "destination": { "as": { "number": 29518, @@ -2586,9 +2089,9 @@ "category": [ "network" ], - "code": "010102600002", + "code": "00002", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "original": "Nov 16 00:25:05 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -2599,6 +2102,7 @@ "level": "Information" }, "network": { + "community_id": "1:ZnwausNTwoW4P/8eFfBQhRAT3HA=", "transport": "udp" }, "observer": { @@ -2625,28 +2129,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -2659,17 +2141,17 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010102600002", "log_subtype": "Denied", "log_type": "Firewall", "log_version": "1", - "message_id": "00002", "qualifier": "New", "web_policy_id": "12" } }, "source": { "ip": "192.168.2.111", - "mac": "00:26:37:ee:47:20", + "mac": "00-26-37-EE-47-20", "port": 61709 }, "tags": [ @@ -2678,15 +2160,6 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -2708,7 +2181,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -2719,11 +2192,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 37000000000, "end": "2021-11-16T00:25:42.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:05 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:05.000Z" @@ -2736,6 +2209,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -2772,30 +2246,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -2812,10 +2262,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2824,7 +2274,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -2836,17 +2286,9 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "ip": "192.168.2.112", - "mac": "88:57:1D:2D:19:DB", - "nat": { - "ip": "192.168.1.2" - }, - "port": 47944 - }, "destination": { "ip": "192.168.10.1", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 53 }, "ecs": { @@ -2857,9 +2299,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:05 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -2870,6 +2312,7 @@ "level": "Information" }, "network": { + "community_id": "1:SzLgL7P9G3J1F+EaxSxNnK8jT7Y=", "direction": "outbound", "transport": "udp" }, @@ -2905,11 +2348,6 @@ "rule": { "id": "12" }, - "server": { - "ip": "192.168.10.1", - "mac": "00:50:56:9F:39:33", - "port": 53 - }, "sophos": { "xg": { "app_category": "Infrastructure", @@ -2929,10 +2367,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -2940,7 +2378,7 @@ }, "source": { "ip": "192.168.2.112", - "mac": "88:57:1D:2D:19:DB", + "mac": "88-57-1D-2D-19-DB", "nat": { "ip": "192.168.1.2" }, @@ -2952,14 +2390,6 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "ip": "192.168.2.112", - "mac": "88:57:1D:2D:19:DB", - "nat": { - "ip": "192.168.1.2" - }, - "port": 55499 - }, "destination": { "as": { "number": 29518, @@ -2980,7 +2410,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 80 }, "ecs": { @@ -2991,9 +2421,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:05 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -3004,6 +2434,7 @@ "level": "Information" }, "network": { + "community_id": "1:A9nGLtydX88jyXav0D5T0E86NGc=", "direction": "outbound", "transport": "tcp" }, @@ -3039,29 +2470,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 80 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -3077,10 +2485,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3088,7 +2496,7 @@ }, "source": { "ip": "192.168.2.112", - "mac": "88:57:1D:2D:19:DB", + "mac": "88-57-1D-2D-19-DB", "nat": { "ip": "192.168.1.2" }, @@ -3100,13 +2508,6 @@ }, { "@timestamp": "2021-11-16T00:25:05.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -3127,7 +2528,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -3137,9 +2538,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:06 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -3150,6 +2551,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -3185,28 +2587,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -3223,10 +2603,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3234,7 +2614,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -3245,16 +2625,6 @@ }, { "@timestamp": "2021-11-16T00:25:06.000Z", - "client": { - "bytes": 216, - "ip": "192.168.2.118", - "mac": "2C:AA:8E:1D:B6:D9", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 4, - "port": 44720 - }, "destination": { "as": { "number": 29518, @@ -3276,7 +2646,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2, "port": 80 }, @@ -3288,11 +2658,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 16000000000, "end": "2021-11-16T00:25:22.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:06 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:06.000Z" @@ -3305,6 +2675,7 @@ }, "network": { "bytes": 328, + "community_id": "1:L9WhSq7YQlTvbUl3xZX4AGLRKTA=", "direction": "outbound", "packets": 6, "transport": "tcp" @@ -3341,31 +2712,6 @@ "rule": { "id": "19" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 112, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2, - "port": 80 - }, "sophos": { "xg": { "app_filter_policy_id": "8", @@ -3381,10 +2727,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "5", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3393,7 +2739,7 @@ "source": { "bytes": 216, "ip": "192.168.2.118", - "mac": "2C:AA:8E:1D:B6:D9", + "mac": "2C-AA-8E-1D-B6-D9", "nat": { "ip": "192.168.1.2" }, @@ -3406,14 +2752,9 @@ }, { "@timestamp": "2021-11-16T00:25:06.000Z", - "client": { - "ip": "192.168.3.36", - "mac": "00:50:56:9F:49:13", - "port": 48524 - }, "destination": { "ip": "192.168.2.90", - "mac": "00:50:56:9F:EF:8A", + "mac": "00-50-56-9F-EF-8A", "port": 9988 }, "ecs": { @@ -3424,9 +2765,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", + "original": "Nov 16 00:25:06 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", "outcome": "success", "severity": 6 }, @@ -3437,6 +2778,7 @@ "level": "Information" }, "network": { + "community_id": "1:gUo0Arcewuv8odd5nUkvef58RUY=", "direction": "internal", "transport": "tcp" }, @@ -3471,11 +2813,6 @@ "rule": { "id": "16" }, - "server": { - "ip": "192.168.2.90", - "mac": "00:50:56:9F:EF:8A", - "port": 9988 - }, "sophos": { "xg": { "app_filter_policy_id": "7", @@ -3491,10 +2828,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "6", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "DMZ", "web_policy_id": "4" @@ -3502,7 +2839,7 @@ }, "source": { "ip": "192.168.3.36", - "mac": "00:50:56:9F:49:13", + "mac": "00-50-56-9F-49-13", "port": 48524 }, "tags": [ @@ -3511,13 +2848,6 @@ }, { "@timestamp": "2021-11-16T00:25:07.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -3538,7 +2868,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -3548,9 +2878,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:07 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -3561,6 +2891,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -3596,28 +2927,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -3634,10 +2943,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3645,7 +2954,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -3656,13 +2965,6 @@ }, { "@timestamp": "2021-11-16T00:25:08.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -3683,7 +2985,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -3693,9 +2995,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:08 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -3706,6 +3008,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -3741,28 +3044,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -3779,10 +3060,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3790,7 +3071,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -3801,15 +3082,6 @@ }, { "@timestamp": "2021-11-16T00:25:08.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -3831,7 +3103,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -3842,11 +3114,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 33000000000, "end": "2021-11-16T00:25:41.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:08 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:08.000Z" @@ -3859,6 +3131,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -3895,30 +3168,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -3935,10 +3184,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -3947,7 +3196,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -3959,16 +3208,6 @@ }, { "@timestamp": "2021-11-16T00:25:08.000Z", - "client": { - "bytes": 9718, - "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 31, - "port": 50872 - }, "destination": { "as": { "number": 29518, @@ -3990,7 +3229,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 31, "port": 443 }, @@ -4002,11 +3241,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 19000000000, "end": "2021-11-16T00:25:27.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:08 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:08.000Z" @@ -4019,6 +3258,7 @@ }, "network": { "bytes": 14710, + "community_id": "1:KAm8/ZZndcBcau4rHnFdb2+8OPM=", "direction": "outbound", "packets": 62, "transport": "tcp" @@ -4055,31 +3295,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 4992, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 31, - "port": 443 - }, "sophos": { "xg": { "app_category": "Streaming Media", @@ -4099,10 +3314,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4111,7 +3326,7 @@ "source": { "bytes": 9718, "ip": "192.168.2.111", - "mac": "00:26:37:EE:47:20", + "mac": "00-26-37-EE-47-20", "nat": { "ip": "192.168.1.2" }, @@ -4124,15 +3339,6 @@ }, { "@timestamp": "2021-11-16T00:25:08.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -4154,7 +3360,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -4165,11 +3371,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 35000000000, "end": "2021-11-16T00:25:43.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:08 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:08.000Z" @@ -4182,6 +3388,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -4218,30 +3425,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -4258,10 +3441,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4270,7 +3453,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -4282,13 +3465,6 @@ }, { "@timestamp": "2021-11-16T00:25:09.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -4309,7 +3485,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -4319,9 +3495,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:09 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -4332,6 +3508,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -4367,28 +3544,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -4405,10 +3560,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4416,7 +3571,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -4427,15 +3582,6 @@ }, { "@timestamp": "2021-11-16T00:25:09.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -4457,7 +3603,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -4468,11 +3614,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 38000000000, "end": "2021-11-16T00:25:47.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:09 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:09.000Z" @@ -4485,6 +3631,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -4521,30 +3668,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -4561,10 +3684,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4573,7 +3696,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -4585,17 +3708,9 @@ }, { "@timestamp": "2021-11-16T00:25:09.000Z", - "client": { - "ip": "192.168.2.16", - "mac": "00:50:56:9F:B1:FE", - "nat": { - "ip": "192.168.1.2" - }, - "port": 63043 - }, "destination": { "ip": "192.168.1.167", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 8089 }, "ecs": { @@ -4606,9 +3721,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:09 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -4619,6 +3734,7 @@ "level": "Information" }, "network": { + "community_id": "1:hfa1jnJgUmQh1436zNSd1MlKD0s=", "direction": "outbound", "transport": "tcp" }, @@ -4654,11 +3770,6 @@ "rule": { "id": "12" }, - "server": { - "ip": "192.168.1.167", - "mac": "00:50:56:9F:39:33", - "port": 8089 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -4674,10 +3785,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4685,7 +3796,7 @@ }, "source": { "ip": "192.168.2.16", - "mac": "00:50:56:9F:B1:FE", + "mac": "00-50-56-9F-B1-FE", "nat": { "ip": "192.168.1.2" }, @@ -4697,16 +3808,6 @@ }, { "@timestamp": "2021-11-16T00:25:09.000Z", - "client": { - "bytes": 2297, - "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 20, - "port": 21957 - }, "destination": { "as": { "number": 29518, @@ -4728,7 +3829,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 22, "port": 443 }, @@ -4740,11 +3841,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 411000000000, "end": "2021-11-16T00:32:00.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:09 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:09.000Z" @@ -4757,6 +3858,7 @@ }, "network": { "bytes": 4526, + "community_id": "1:xZOGkb0HEBsD48VnnxecaWb1xBA=", "direction": "outbound", "packets": 42, "transport": "tcp" @@ -4793,31 +3895,6 @@ "rule": { "id": "11" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 2229, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 22, - "port": 443 - }, "sophos": { "xg": { "app_category": "Infrastructure", @@ -4837,10 +3914,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "1" @@ -4849,7 +3926,7 @@ "source": { "bytes": 2297, "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", + "mac": "24-4B-FE-DD-C6-CE", "nat": { "ip": "192.168.1.2" }, @@ -4862,13 +3939,6 @@ }, { "@timestamp": "2021-11-16T00:25:10.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -4889,7 +3959,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -4899,9 +3969,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:10 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -4912,6 +3982,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -4947,28 +4018,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -4985,10 +4034,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -4996,7 +4045,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -5007,15 +4056,6 @@ }, { "@timestamp": "2021-11-16T00:25:10.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -5037,7 +4077,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -5048,11 +4088,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 32000000000, "end": "2021-11-16T00:25:42.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:10 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:10.000Z" @@ -5065,6 +4105,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -5101,30 +4142,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5141,10 +4158,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -5153,7 +4170,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -5165,15 +4182,6 @@ }, { "@timestamp": "2021-11-16T00:25:10.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -5195,7 +4203,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -5206,11 +4214,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 30000000000, "end": "2021-11-16T00:25:40.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:10 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:10.000Z" @@ -5223,6 +4231,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -5259,30 +4268,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5299,10 +4284,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -5311,7 +4296,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -5323,13 +4308,6 @@ }, { "@timestamp": "2021-11-16T00:25:11.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -5350,7 +4328,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -5360,9 +4338,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:11 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -5373,6 +4351,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -5408,28 +4387,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5446,10 +4403,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -5457,7 +4414,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -5468,15 +4425,6 @@ }, { "@timestamp": "2021-11-16T00:25:11.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -5498,7 +4446,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -5509,11 +4457,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 32000000000, "end": "2021-11-16T00:25:43.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:11 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:11.000Z" @@ -5526,6 +4474,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -5562,30 +4511,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5602,10 +4527,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -5614,7 +4539,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -5626,14 +4551,6 @@ }, { "@timestamp": "2021-11-16T00:25:11.000Z", - "client": { - "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", - "nat": { - "ip": "192.168.1.2" - }, - "port": 59335 - }, "destination": { "as": { "number": 29518, @@ -5654,7 +4571,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -5665,9 +4582,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:11 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -5678,6 +4595,7 @@ "level": "Information" }, "network": { + "community_id": "1:Jdy+51i0g2ubEnGv7jt3wjeQlpM=", "direction": "outbound", "transport": "udp" }, @@ -5713,29 +4631,6 @@ "rule": { "id": "11" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5751,10 +4646,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "1" @@ -5762,7 +4657,7 @@ }, "source": { "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", + "mac": "24-4B-FE-DD-C6-CE", "nat": { "ip": "192.168.1.2" }, @@ -5774,15 +4669,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -5804,7 +4690,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -5815,11 +4701,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 38000000000, "end": "2021-11-16T00:25:50.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:12.000Z" @@ -5832,6 +4718,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -5868,30 +4755,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -5908,10 +4771,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -5920,7 +4783,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -5932,13 +4795,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -5959,7 +4815,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -5969,9 +4825,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -5982,6 +4838,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -6017,28 +4874,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6055,10 +4890,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -6066,7 +4901,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -6077,13 +4912,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "ip": "192.168.2.105", - "mac": "54:60:09:FD:33:EC", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -6104,7 +4932,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -6114,9 +4942,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -6127,6 +4955,7 @@ "level": "Information" }, "network": { + "community_id": "1:SNjkSX+hbh9N9cWDA8/QTiAkR6A=", "direction": "outbound", "transport": "icmp" }, @@ -6162,28 +4991,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6200,10 +5007,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -6211,7 +5018,7 @@ }, "source": { "ip": "192.168.2.105", - "mac": "54:60:09:FD:33:EC", + "mac": "54-60-09-FD-33-EC", "nat": { "ip": "192.168.1.2" } @@ -6222,14 +5029,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", - "nat": { - "ip": "192.168.1.2" - }, - "port": 62171 - }, "destination": { "as": { "number": 29518, @@ -6250,7 +5049,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -6261,9 +5060,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -6274,6 +5073,7 @@ "level": "Information" }, "network": { + "community_id": "1:gR1AsNgZns9n/Yw1U6j4HYB0R9k=", "direction": "outbound", "transport": "udp" }, @@ -6309,29 +5109,6 @@ "rule": { "id": "11" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6347,10 +5124,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "1" @@ -6358,7 +5135,7 @@ }, "source": { "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", + "mac": "24-4B-FE-DD-C6-CE", "nat": { "ip": "192.168.1.2" }, @@ -6370,16 +5147,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "bytes": 1030, - "ip": "192.168.2.110", - "mac": "34:C9:3D:23:51:C2", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 11, - "port": 53271 - }, "destination": { "as": { "number": 29518, @@ -6401,7 +5168,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 13, "port": 443 }, @@ -6413,11 +5180,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 17000000000, "end": "2021-11-16T00:25:29.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:12.000Z" @@ -6430,6 +5197,7 @@ }, "network": { "bytes": 7800, + "community_id": "1:crPYLupMv69l6bjRDZCcrWpHWrs=", "direction": "outbound", "packets": 24, "transport": "tcp" @@ -6466,31 +5234,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 6770, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 13, - "port": 443 - }, "sophos": { "xg": { "app_category": "Infrastructure", @@ -6510,10 +5253,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -6522,7 +5265,7 @@ "source": { "bytes": 1030, "ip": "192.168.2.110", - "mac": "34:C9:3D:23:51:C2", + "mac": "34-C9-3D-23-51-C2", "nat": { "ip": "192.168.1.2" }, @@ -6535,14 +5278,6 @@ }, { "@timestamp": "2021-11-16T00:25:12.000Z", - "client": { - "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", - "nat": { - "ip": "192.168.1.2" - }, - "port": 52915 - }, "destination": { "as": { "number": 29518, @@ -6563,7 +5298,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -6574,9 +5309,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:12 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -6587,6 +5322,7 @@ "level": "Information" }, "network": { + "community_id": "1:EHmkZS4ByA4QLRL4a20ddi/HHHk=", "direction": "outbound", "transport": "udp" }, @@ -6622,29 +5358,6 @@ "rule": { "id": "11" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6660,10 +5373,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "1" @@ -6671,7 +5384,7 @@ }, "source": { "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", + "mac": "24-4B-FE-DD-C6-CE", "nat": { "ip": "192.168.1.2" }, @@ -6683,13 +5396,6 @@ }, { "@timestamp": "2021-11-16T00:25:13.000Z", - "client": { - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - } - }, "destination": { "as": { "number": 29518, @@ -6710,7 +5416,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" + "mac": "00-50-56-9F-39-33" }, "ecs": { "version": "8.0.0" @@ -6720,9 +5426,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:13 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -6733,6 +5439,7 @@ "level": "Information" }, "network": { + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "transport": "icmp" }, @@ -6768,28 +5475,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33" - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6806,10 +5491,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -6817,7 +5502,7 @@ }, "source": { "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" } @@ -6828,15 +5513,6 @@ }, { "@timestamp": "2021-11-16T00:25:13.000Z", - "client": { - "bytes": 168, - "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", - "nat": { - "ip": "192.168.1.2" - }, - "packets": 2 - }, "destination": { "as": { "number": 29518, @@ -6858,7 +5534,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "packets": 2 }, "ecs": { @@ -6869,11 +5545,11 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "duration": 37000000000, "end": "2021-11-16T00:25:50.000Z", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:13 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6, "start": "2021-11-16T00:25:13.000Z" @@ -6886,6 +5562,7 @@ }, "network": { "bytes": 336, + "community_id": "1:k8knu+ZpQWfBknRiJ4i22/T9XTQ=", "direction": "outbound", "packets": 4, "transport": "icmp" @@ -6922,30 +5599,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "bytes": 168, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "packets": 2 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -6962,10 +5615,10 @@ "icmp_type": "8", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -6974,7 +5627,7 @@ "source": { "bytes": 168, "ip": "192.168.2.121", - "mac": "10:BF:48:7D:ED:22", + "mac": "10-BF-48-7D-ED-22", "nat": { "ip": "192.168.1.2" }, @@ -6986,14 +5639,6 @@ }, { "@timestamp": "2021-11-16T00:25:13.000Z", - "client": { - "ip": "192.168.2.105", - "mac": "54:60:09:FD:33:EC", - "nat": { - "ip": "192.168.1.2" - }, - "port": 34141 - }, "destination": { "as": { "number": 29518, @@ -7014,7 +5659,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 53 }, "ecs": { @@ -7025,9 +5670,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:13 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -7038,6 +5683,7 @@ "level": "Information" }, "network": { + "community_id": "1:N+DzmHb2/WnL1heTDhNw0OiuqoE=", "direction": "outbound", "transport": "udp" }, @@ -7073,29 +5719,6 @@ "rule": { "id": "12" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 53 - }, "sophos": { "xg": { "app_category": "Infrastructure", @@ -7115,10 +5738,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "12" @@ -7126,7 +5749,7 @@ }, "source": { "ip": "192.168.2.105", - "mac": "54:60:09:FD:33:EC", + "mac": "54-60-09-FD-33-EC", "nat": { "ip": "192.168.1.2" }, @@ -7138,14 +5761,6 @@ }, { "@timestamp": "2021-11-16T00:25:13.000Z", - "client": { - "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", - "nat": { - "ip": "192.168.1.2" - }, - "port": 51751 - }, "destination": { "as": { "number": 29518, @@ -7166,7 +5781,7 @@ "region_name": "Östergötland County" }, "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", + "mac": "00-50-56-9F-39-33", "port": 443 }, "ecs": { @@ -7177,9 +5792,9 @@ "category": [ "network" ], - "code": "010101600001", + "code": "00001", "kind": "event", - "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "original": "Nov 16 00:25:13 sophos device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", "outcome": "success", "severity": 6 }, @@ -7190,6 +5805,7 @@ "level": "Information" }, "network": { + "community_id": "1:PIPOxz7MFoD83qug+wZ2svTtuoQ=", "direction": "outbound", "transport": "udp" }, @@ -7225,29 +5841,6 @@ "rule": { "id": "11" }, - "server": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "mac": "00:50:56:9F:39:33", - "port": 443 - }, "sophos": { "xg": { "app_filter_policy_id": "6", @@ -7263,10 +5856,10 @@ "hb_status": "No Heartbeat", "ips_policy_id": "8", "log_component": "Firewall Rule", + "log_id": "010101600001", "log_subtype": "Allowed", "log_type": "Firewall", "log_version": "1", - "message_id": "00001", "qualifier": "New", "src_zone_type": "LAN", "web_policy_id": "1" @@ -7274,7 +5867,7 @@ }, "source": { "ip": "192.168.2.41", - "mac": "24:4B:FE:DD:C6:CE", + "mac": "24-4B-FE-DD-C6-CE", "nat": { "ip": "192.168.1.2" }, diff --git a/packages/sophos/data_stream/xg/_dev/test/system/test-logfile-config.yml b/packages/sophos/data_stream/xg/_dev/test/system/test-logfile-config.yml deleted file mode 100644 index 4483fa5ddfe..00000000000 --- a/packages/sophos/data_stream/xg/_dev/test/system/test-logfile-config.yml +++ /dev/null @@ -1,11 +0,0 @@ -service: sophos-logfile -input: logfile -data_stream: - vars: - paths: - - "{{SERVICE_LOGS_DIR}}/sophos-xg*.log" - known_devices: | - - hostname: XG230 - serial_number: "1234567890123456" - - hostname: SG430 - serial_number: "S4000806149EE49" diff --git a/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml b/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml deleted file mode 100644 index 5ac7ed1771b..00000000000 --- a/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml +++ /dev/null @@ -1,12 +0,0 @@ -service: sophos-xg-tcp -service_notify_signal: SIGHUP -input: tcp -data_stream: - vars: - syslog_host: 0.0.0.0 - syslog_port: 9549 - known_devices: | - - hostname: XG230 - serial_number: "1234567890123456" - - hostname: SG430 - serial_number: "S4000806149EE49" diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml index 3d10bd560a3..f26954b62ef 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +description: Pipeline for parsing Sophos XG firewall logs (anti-spam pipeline). processors: ####################### ## ECS Event Mapping ## @@ -18,15 +18,15 @@ processors: - set: field: event.kind value: alert - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' - append: field: event.category value: malware - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' - append: field: event.category value: intrusion_detection - if: "ctx.sophos?.xg?.message_id == '13012'" + if: "ctx.event?.code == '13012'" - append: field: event.category value: network @@ -35,17 +35,18 @@ processors: value: - allowed - connection - if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophos?.xg?.message_id)' + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.event?.code)' - append: field: event.type value: - info - denied - connection - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' + #################################### -## ECS Server/Destination Mapping ## +## ECS Destination Mapping #################################### - rename: field: sophos.xg.dst_ip @@ -65,7 +66,7 @@ processors: ignore_missing: true ############################### -## ECS Client/Source Mapping ## +## ECS Source Mapping ############################### - rename: field: sophos.xg.src_ip @@ -87,82 +88,16 @@ processors: target_field: source.domain ignore_missing: true -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name +- lowercase: + field: sophos.xg.log_component + target_field: network.protocol ignore_missing: true ############# diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml index 1169b490940..e897921113b 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -31,26 +31,21 @@ processors: - set: field: event.kind value: event - if: '["09002"].contains(ctx.sophos?.xg?.message_id)' + if: '["09002"].contains(ctx.event?.code)' - append: field: event.type value: - allowed - connection - if: '["09002"].contains(ctx.sophos?.xg?.message_id)' + if: '["09002"].contains(ctx.event?.code)' - append: field: event.category value: network - if: '["09002"].contains(ctx.sophos?.xg?.message_id)' -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" + if: '["09002"].contains(ctx.event?.code)' -#################################### -## ECS Server/Destination Mapping ## -#################################### +############################# +## ECS Destination Mapping ## +############################# - rename: field: sophos.xg.dst_ip target_field: destination.ip @@ -68,10 +63,18 @@ processors: target_field: destination.user.email ignore_missing: true if: "ctx.sophos?.xg?.to_email_address != null" +- rename: + field: sophos.xg.dstdomain + target_field: destination.domain + ignore_failure: true +- rename: + field: sophos.xg.dst_domainname + target_field: destination.domain + ignore_failure: true -############################### -## ECS Client/Source Mapping ## -############################### +######################## +## ECS Source Mapping ## +######################## - rename: field: sophos.xg.src_ip target_field: source.ip @@ -94,6 +97,10 @@ processors: target_field: source.user.email ignore_missing: true if: "ctx.sophos?.xg?.from_email_address != null" +- rename: + field: sophos.xg.src_domainname + target_field: source.domain + ignore_failure: true ###################### ## ECS Rule Mapping ## @@ -112,21 +119,19 @@ processors: target_field: url.original ignore_missing: true if: "ctx.sophos?.xg?.url != null" +- uri_parts: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.original + target_field: url +- set: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.full + copy_from: url.original + ignore_empty_value: true - rename: field: sophos.xg.domainname target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.domainname != null" -- rename: - field: sophos.xg.dst_domainname - target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.dst_domainname != null && ctx?.url?.domain == null" -- rename: - field: sophos.xg.src_domainname - target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.src_domainname != null" + ignore_failure: true ############################ ## ECS User Agent Mapping ## @@ -165,103 +170,18 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.file_path != null" -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophos?.xg?.protocol != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name +- lowercase: + field: sophos.xg.log_component + target_field: network.protocol ignore_missing: true -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" ############# ## Cleanup ## ############# @@ -270,6 +190,7 @@ processors: ignore_failure: true - remove: field: + - sophos.xg.domainname - sophos.xg.dst_port - sophos.xg.src_port - sophos.xg.status_code diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml index 23eb4f07460..47bcb458a6f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml @@ -20,18 +20,13 @@ processors: value: - intrusion_detection - network - if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' + if: '["18009", "18010"].contains(ctx.event?.code)' - append: field: event.type value: - denied - connection - if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" + if: '["18009", "18010"].contains(ctx.event?.code)' - rename: field: sophos.xg.eventid target_field: event.id @@ -87,114 +82,27 @@ processors: target_field: url.original ignore_missing: true if: "ctx.sophos?.xg?.url != null" +- uri_parts: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.original + target_field: url +- set: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.full + copy_from: url.original + ignore_empty_value: true -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophos?.xg?.protocol != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" ############# ## Cleanup ## ############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_failure: true - lowercase: field: event.action ignore_failure: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml index 06dd579e10f..d8030558aa1 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +description: Pipeline for parsing sophos firewall logs (Content Filtering pipeline) processors: ####################### ## ECS Event Mapping ## @@ -42,15 +42,10 @@ processors: - denied - connection if: "ctx.sophos?.xg?.log_subtype == 'Denied'" -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -#################################### -## ECS Server/Destination Mapping ## -#################################### +########################## +## ECS Destination Mapping +########################## - rename: field: sophos.xg.dst_ip target_field: destination.ip @@ -64,9 +59,9 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -############################### -## ECS Client/Source Mapping ## -############################### +##################### +## ECS Source Mapping +##################### - rename: field: sophos.xg.src_ip target_field: source.ip @@ -140,113 +135,22 @@ processors: target_field: user_agent ignore_missing: true -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophos?.xg?.protocol != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" +- set: + field: network.protocol + copy_from: url.scheme + override: false + ignore_empty_value: true ############# ## Cleanup ## ############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_failure: true - lowercase: field: event.action ignore_failure: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index 484ec067050..884a7144a66 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -1,29 +1,25 @@ --- -description: Pipeline for parsing sophosxg firewall logs +description: Pipeline for parsing Sophos XG firewall logs. processors: - set: field: ecs.version value: '8.0.0' -- grok: - field: message - patterns: - - '%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:event.original}$' - - '%{SYSLOG5424PRI}%{GREEDYDATA:event.original}$' - - '%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:event.original}$' -# optimize fields / strings in event.original for KV processor -- gsub: +- set: field: event.original - pattern: "clients_conn_SSID" - replacement: 'clients_conn_ssid' -- gsub: + copy_from: message + override: false +- grok: field: event.original - pattern: "SysLog_SERVER_NAME" - replacement: 'syslog_server_name' + patterns: + - '^%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:message}$' + - '^%{SYSLOG5424PRI}%{GREEDYDATA:message}$' + - '^%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:message}$' + - '%{GREEDYDATA:message}$' # split Sophos-XG fields - kv: - field: event.original + field: message field_split: " (?=[a-zA-Z0-9_]+=)" value_split: "=" prefix: "sophos.xg." @@ -31,18 +27,29 @@ processors: ignore_failure: false trim_value: "\"" +- script: + description: Lowercase sophos.xg key name names. + tag: lowercase-sophos-keys + if: ctx.sophos?.xg != null + source: | + def lowercaseMap = [:]; + for(def entry : ctx.sophos.xg.entrySet()){ + lowercaseMap.put(entry.getKey().toLowerCase(), entry.getValue()); + } + ctx.sophos.xg = lowercaseMap; + # Parse the date - set: field: _temp_.time value: "{{sophos.xg.date}} {{sophos.xg.time}}" - if: ctx?.sophos?.xg?.date != null && ctx?.sophos?.xg?.time != null + if: ctx.sophos?.xg?.date != null && ctx.sophos?.xg?.time != null - set: field: _temp_.time copy_from: sophos.xg.timestamp ignore_empty_value: true if: ctx._temp_?.time == null - date: - if: "ctx.event.timezone == null" + if: ctx._temp_?.time != null && ctx.event?.timezone == null field: _temp_.time target_field: "@timestamp" formats: @@ -51,7 +58,7 @@ processors: - yyyy-MM-dd HH:mm:ss z - ISO8601 - date: - if: "ctx.event.timezone != null" + if: ctx._temp_?.time != null && ctx.event?.timezone != null timezone: "{{ event.timezone }}" field: _temp_.time target_field: "@timestamp" @@ -64,7 +71,7 @@ processors: # Sets starts, end and duration when start and duration is known - script: lang: painless - if: ctx?.sophos?.xg?.duration != null + if: ctx.sophos?.xg?.duration != null source: >- ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; ctx.event.start = ctx['@timestamp']; @@ -73,6 +80,8 @@ processors: # Removes all empty fields - script: + description: Remove empty fields. + tag: remove-empty-fields lang: painless params: values: @@ -80,64 +89,73 @@ processors: - "-" - "N/A" source: >- - ctx?.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + ctx.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); ####################### ## ECS Event Mapping ## ####################### -- set: - field: event.severity - value: "{{sophos.xg.log_id}}" -# extract from event_severity from log_id, example: 010101600001" +# log_id consists of (example: 010101600001): +# log type: 2 digits +# log component: 2 digits +# log subtype: 2 digits +# severity: 1 digit +# message ID: 5 digits - gsub: + description: Set event.severity from log_id. + field: sophos.xg.log_id + target_field: event.severity + pattern: '^.{6}(.).*$' + replacement: '$1' + ignore_failure: true +- convert: field: event.severity - pattern: "(^.{1,6})" - replacement: "" + type: long + ignore_missing: true - gsub: - field: event.severity - pattern: "(.{1,5}$)" - replacement: "" + description: Set event.code from log_id. + field: sophos.xg.log_id + target_field: event.code + pattern: '^.{7}(.{5})$' + replacement: '$1' + ignore_failure: true ##################### ## ECS Log Mapping ## ##################### - set: - field: "log.level" - if: "ctx.event.severity == '0' " + if: ctx.event?.severity == 0 + field: log.level value: unknown - set: - field: "log.level" - if: "ctx.event.severity == '1' " + if: ctx.event?.severity == 1 + field: log.level value: alert - set: - field: "log.level" - if: "ctx.event.severity == '2' " + if: ctx.event?.severity == 2 + field: log.level value: critical - set: - field: "log.level" - if: "ctx.event.severity == '3' " + if: ctx.event?.severity == 3 + field: log.level value: error - set: - field: "log.level" - if: "ctx.event.severity == '4' " + if: ctx.event?.severity == 4 + field: log.level value: warning - set: - field: "log.level" - if: "ctx.event.severity == '5' " + if: ctx.event?.severity == 5 + field: log.level value: notification - set: - field: "log.level" - if: "ctx.event.severity == '6' " + if: ctx.event?.severity == 6 + field: log.level value: informational - set: - field: "log.level" - if: "ctx.event.severity == '7' " + if: ctx.event?.severity == 7 + field: log.level value: debug -- convert: - field: event.severity - type: long - ignore_missing: true + - set: field: log.level copy_from: sophos.xg.severity @@ -196,28 +214,12 @@ processors: target_field: sophos.xg.dst_zone_type ignore_missing: true -# extract from log_id the new field "sophos.xg.message_id" -- set: - field: sophos.xg.message_id - value: "{{sophos.xg.log_id}}" - ignore_empty_value: true - ignore_failure: true -- gsub: - field: sophos.xg.message_id - pattern: "(^.{1,7})" - replacement: "" - ignore_failure: true -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - ################### ## Set host.name ## ################### - script: lang: painless - if: ctx?.observer?.serial_number != null + if: ctx.observer?.serial_number != null source: >- def conf = ctx['_conf']; if (conf == null) return; @@ -231,15 +233,10 @@ processors: break; } } - if (ctx?.host == null) { + if (ctx.host == null) { ctx.host = new HashMap(); } ctx.host.name = name; -- append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: 'ctx.host?.name != null' ############# ## Cleanup ## @@ -262,12 +259,6 @@ processors: - syslog5424_pri ignore_missing: true -- convert: - field: sophos.xg.responsetime - type: long - ignore_missing: true - ignore_failure: true - - convert: field: sophos.xg.sent_bytes target_field: source.bytes @@ -297,24 +288,57 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.bytes_received != null" +############################# +## ECS Source/Destination MAC +############################# +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_failure: true +- uppercase: + field: source.mac + ignore_missing: true +- gsub: + field: source.mac + pattern: '[-:. ]' + replacement: '' + ignore_missing: true +- gsub: + field: source.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + +- rename: + field: sophos.xg.dst_mac + target_field: destination.mac + ignore_failure: true +- uppercase: + field: destination.mac + ignore_missing: true +- gsub: + field: destination.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: destination.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + ############################### ## Product Specific Pipelines ## ############################### - pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: "ctx.sophos?.xg?.log_type == 'Firewall'" -- pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.sophos?.xg?.log_type == 'IDP'" -- pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.sophos?.xg?.log_type == 'ATP'" + name: '{{ IngestPipeline "antispam" }}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" - pipeline: name: '{{ IngestPipeline "antivirus" }}' if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" - pipeline: - name: '{{ IngestPipeline "sandstorm" }}' - if: "ctx.sophos?.xg?.log_type == 'Sandbox'" + name: '{{ IngestPipeline "atp" }}' + if: "ctx.sophos?.xg?.log_type == 'ATP'" - pipeline: name: '{{ IngestPipeline "cfilter" }}' if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" @@ -322,47 +346,223 @@ processors: name: '{{ IngestPipeline "event" }}' if: "ctx.sophos?.xg?.log_type == 'Event'" - pipeline: - name: '{{ IngestPipeline "waf" }}' - if: "ctx.sophos?.xg?.log_type == 'WAF'" + name: '{{ IngestPipeline "firewall" }}' + if: "ctx.sophos?.xg?.log_type == 'Firewall'" - pipeline: - name: '{{ IngestPipeline "antispam" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" + name: '{{ IngestPipeline "idp" }}' + if: "ctx.sophos?.xg?.log_type == 'IDP'" +- pipeline: + name: '{{ IngestPipeline "sandstorm" }}' + if: "ctx.sophos?.xg?.log_type == 'Sandbox'" - pipeline: name: '{{ IngestPipeline "systemhealth" }}' if: "ctx.sophos?.xg?.log_type == 'System Health'" +- pipeline: + name: '{{ IngestPipeline "waf" }}' + if: "ctx.sophos?.xg?.log_type == 'WAF'" - pipeline: name: '{{ IngestPipeline "wifi" }}' if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" +################## +# GeoIP Enrichment +################## +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############## +## ECS Network +############## +- lowercase: + field: network.protocol + ignore_failure: true - set: - field: server - copy_from: destination - ignore_empty_value: true -- set: - field: client - copy_from: source - ignore_empty_value: true + description: Rename pops network.protocol to pop3s. + if: ctx.network?.protocol == "pops" + field: network.protocol + value: pop3s +- lowercase: + field: network.transport + ignore_failure: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx.source?.bytes != null && ctx.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx.source?.packets != null && ctx.destination?.packets != null" + ignore_failure: true +- community_id: + ignore_failure: true + +#################### +## ECS Related Hosts +#################### +- append: + if: ctx.host?.name != null + field: related.hosts + value: '{{{host.name}}}' + allow_duplicates: false +- append: + if: ctx.url?.domain != null + field: related.hosts + value: '{{{url.domain}}}' + allow_duplicates: false +- append: + if: ctx.source?.domain != null + field: related.hosts + value: '{{{source.domain}}}' + allow_duplicates: false +- append: + if: ctx.destination?.domain != null + field: related.hosts + value: '{{{destination.domain}}}' + allow_duplicates: false + +################# +## ECS Related IP +################# +- append: + if: ctx.source?.ip != null + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false +- append: + if: ctx.destination?.ip != null + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false +- append: + if: ctx.source?.nat?.ip != null + field: related.ip + value: '{{{source.nat.ip}}}' + allow_duplicates: false +- append: + if: ctx.destination?.nat?.ip != null + field: related.ip + value: '{{{destination.nat.ip}}}' + allow_duplicates: false + +################### +## ECS Related User +################### +- append: + if: ctx.source?.user?.name != null + field: related.user + value: "{{{source.user.name}}}" + allow_duplicates: false + +################### +## ECS Related Hash +################### +- append: + if: ctx.file?.hash?.sha1 != null + field: related.hash + value: "{{{file.hash.sha1}}}" + allow_duplicates: false +- append: + if: ctx.file?.hash?.sha256 != null + field: related.hash + value: "{{{file.hash.sha256}}}" + allow_duplicates: false + ############# ## Cleanup ## ############# +- rename: + field: sophos.xg.reason + target_field: event.reason + ignore_failure: true + - remove: field: - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - - sophos.xg.bytes_sent - - sophos.xg.bytes_received - - sophos.xg.severity - - sophos.xg.dst_country - - sophos.xg.src_country - - sophos.xg.out_display_interface - - sophos.xg.in_display_interface + - sophos.xg.bytes_received + - sophos.xg.bytes_sent + - sophos.xg.dst_country + - sophos.xg.in_display_interface + - sophos.xg.out_display_interface + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.severity + - sophos.xg.src_country ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml index 8f479f84a00..7442b607b28 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for parsing sophos firewall logs (event pipeline) +description: Pipeline for parsing Sophos XG firewall logs (authentication events pipeline). processors: ####################### ## ECS Event Mapping ## @@ -10,31 +10,31 @@ processors: - set: field: event.outcome value: success - if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Successful"' + if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Successful"' - set: field: event.outcome value: failure - if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Failed"' + if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Failed"' - set: field: event.outcome value: success - if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Successful" && ctx?.sophos?.xg?.message_id == "17507"' + if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Successful" && ctx.event?.code == "17507"' - set: field: event.outcome value: failure - if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Failed" && ctx?.sophos?.xg?.message_id == "17507"' + if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Failed" && ctx.event?.code == "17507"' - append: field: event.type value: - user - start - if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophos?.xg?.message_id)" + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)" - append: field: event.type value: - user - end - if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophos?.xg?.message_id)" + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.event?.code)" - append: field: event.type value: connection @@ -46,22 +46,17 @@ processors: - append: field: event.category value: authentication - if: 'ctx?.sophos?.xg?.log_subtype == "Authentication"' + if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' - append: field: event.type value: info - if: 'ctx?.sophos?.xg?.message_id == "17819"' + if: 'ctx.event?.code == "17819"' - append: field: event.category value: - host - malware - if: 'ctx?.sophos?.xg?.message_id == "17819"' -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" + if: 'ctx.event?.code == "17819"' #################################### ## ECS Server/Destination Mapping ## @@ -90,11 +85,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_missing: true - if: "ctx.sophos?.xg?.src_mac != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -123,96 +113,6 @@ processors: target_field: message ignore_missing: true -############################# -## ECS Network/Geo Mapping ## -############################# -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - if: 'ctx?.destination?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - ############# ## Cleanup ## ############# diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml index 6f5a6d0b7cd..7e48fade03a 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -18,11 +18,11 @@ processors: - set: field: event.kind value: alert - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' - append: field: event.category value: intrusion_detection - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' - append: field: event.category value: network @@ -46,11 +46,6 @@ processors: - denied - connection if: "ctx.sophos?.xg?.status == 'Deny'" -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" #################################### ## ECS Server/Destination Mapping ## @@ -84,11 +79,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.tran_dst_port != null" -- rename: - field: sophos.xg.dst_mac - target_field: destination.mac - ignore_missing: true - if: "ctx.sophos?.xg?.dst_mac != null" - convert: field: sophos.xg.recv_pkts target_field: destination.packets @@ -166,10 +156,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.packets_sent != null" -- set: - field: client.packets - copy_from: source.packets - ignore_empty_value: true - rename: field: sophos.xg.user_name target_field: source.user.name @@ -195,154 +181,37 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.policy_type != null" -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.application target_field: network.protocol ignore_missing: true - if: "ctx.sophos?.xg?.application != null" - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophos?.xg?.protocol != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - set: field: network.direction value: inbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone) && ctx.observer?.ingress?.zone == 'WAN'" - set: field: network.direction value: outbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ctx.observer?.egress?.zone == 'WAN'" - set: field: network.direction value: internal - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone)" - set: field: network.direction value: external - if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'" - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.ip != null' -- append: - field: related.ip - value: '{{source.nat.ip}}' - allow_duplicates: false - if: 'ctx?.source?.nat?.ip != null' -- append: - field: related.ip - value: '{{destination.nat.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.nat?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" + if: "ctx.observer?.ingress?.zone == 'WAN' && ctx.observer?.egress?.zone == 'WAN'" ############# ## Cleanup ## ############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_failure: true - lowercase: field: event.action ignore_failure: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml index dcdc0be4fa9..c38552b4c63 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml @@ -20,18 +20,13 @@ processors: value: - intrusion_detection - network - if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' + if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' - append: field: event.type value: - denied - connection - if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' -- rename: - field: sophos.xg.log_id - target_field: event.code - ignore_missing: true - if: "ctx.sophos?.xg?.log_id != null" + if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' #################################### ## ECS Server/Destination Mapping ## @@ -89,103 +84,13 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.classification != null" -############################# -## ECS Network/Geo Mapping ## -############################# +###################### +## ECS Network Mapping +###################### - rename: field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophos?.xg?.protocol != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -######################### -## ECS Related Mapping ## -######################### -- append: - if: 'ctx?.source?.ip != null' - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false -- append: - if: 'ctx?.destination?.ip != null' - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" ############# ## Cleanup ## diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml index 392b4c768d9..df874a52541 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml @@ -51,15 +51,16 @@ processors: - denied - connection if: "ctx.sophos?.xg?.log_subtype == 'Denied'" + - rename: - field: sophos.xg.log_id - target_field: event.code + if: ctx.sophos?.xg?.log_component == "Web" + field: sophos.xg.source + target_field: url.domain ignore_missing: true - if: "ctx.event?.code == null" -############################### -## ECS Client/Source Mapping ## -############################### +######################## +## ECS Source Mapping ## +######################## - rename: field: sophos.xg.src_ip target_field: source.ip @@ -71,6 +72,20 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.user_name != null" +############################# +## ECS Destination Mapping ## +############################# +- convert: + field: url.domain + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - set: + field: destination.domain + copy_from: url.domain + ignore_empty_value: true + ###################### ## ECS File Mapping ## ###################### @@ -78,7 +93,7 @@ processors: field: sophos.xg.filename target_field: file.name ignore_missing: true - if: "ctx.sopho?.xg?.filename != null" + if: ctx.sophos?.xg?.filename != null - convert: field: sophos.xg.filesize target_field: file.size @@ -91,37 +106,27 @@ processors: target_field: file.mime_type ignore_missing: true if: "ctx.sophos?.xg?.filetype != null" + +# In 18.0 and later the sha1sum contains the sha256 checksum of the file. - rename: field: sophos.xg.sha1sum target_field: file.hash.sha1 ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null" - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx.source?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" -- append: - field: related.hash - value: "{{file.hash.sha1}}" - allow_duplicates: false - if: "ctx.file?.hash?.sha1 != null" -- remove: - field: - - sophos.xg.filesize + if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 40" +- rename: + field: sophos.xg.sha1sum + target_field: file.hash.sha256 ignore_missing: true + if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 64" + ############# ## Cleanup ## ############# +- remove: + field: + - sophos.xg.filesize + - sophos.xg.sha1sum + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml index 213cc55403a..7a55e8b6a29 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml @@ -80,59 +80,59 @@ processors: - remove: field: sophos.xg.free - gsub: - field: sophos.xg.Configuration + field: sophos.xg.configuration pattern: "%$" replacement: "" ignore_missing: true ignore_failure: true - convert: - field: sophos.xg.Configuration + field: sophos.xg.configuration type: float ignore_missing: true on_failure: - remove: field: - - sophos.xg.Configuration + - sophos.xg.configuration - gsub: - field: sophos.xg.Reports + field: sophos.xg.reports pattern: "%$" replacement: "" ignore_missing: true ignore_failure: true - convert: - field: sophos.xg.Reports + field: sophos.xg.reports type: float ignore_missing: true on_failure: - remove: - field: sophos.xg.Reports + field: sophos.xg.reports - gsub: - field: sophos.xg.Temp + field: sophos.xg.temp pattern: "%$" replacement: "" ignore_missing: true ignore_failure: true - convert: - field: sophos.xg.Temp + field: sophos.xg.temp type: float ignore_missing: true on_failure: - remove: - field: sophos.xg.Temp + field: sophos.xg.temp - gsub: - field: sophos.xg.Signature + field: sophos.xg.signature pattern: "%$" replacement: "" ignore_missing: true ignore_failure: true - convert: - field: sophos.xg.Signature + field: sophos.xg.signature type: float ignore_missing: true on_failure: - remove: - field: sophos.xg.Signature + field: sophos.xg.signature - convert: field: sophos.xg.users type: integer @@ -154,6 +154,27 @@ processors: on_failure: - remove: field: sophos.xg.receivedkbits +- convert: + field: sophos.xg.collisions + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.collisions +- convert: + field: sophos.xg.receiveddrops + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.receiveddrops +- convert: + field: sophos.xg.transmitteddrops + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.transmitteddrops on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml index c1a904f35ce..a59c4334cdc 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml @@ -48,6 +48,21 @@ processors: - connection if: 'ctx.sophos?.xg?.reason != "-"' +- convert: + field: sophos.xg.responsetime + type: long + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.responsetime +- script: + description: Convert microseconds to nanoseconds. + lang: painless + source: | + if (ctx.sophos?.xg?.responsetime != null && ctx.sophos.xg.responsetime > 0) { + ctx.event.duration = ctx.sophos.xg.responsetime * 1000; + } + #################################### ## ECS Server/Destination Mapping ## #################################### @@ -135,109 +150,6 @@ processors: ignore_missing: true if: "ctx.sophos?.xg?.useragent != null" -############################# -## ECS Network/Geo Mapping ## -############################# -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: 'ctx?.source?.ip != null' -- append: - field: related.ip - value: '{{destination.ip}}' - allow_duplicates: false - if: 'ctx?.destination?.ip != null' -- append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx.source?.user?.name != null" - ############# ## Cleanup ## ############# @@ -254,6 +166,7 @@ processors: - sophos.xg.bytesrcv - sophos.xg.bytessent - sophos.xg.httpstatus + - sophos.xg.responsetime ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml index ccc3a156449..9dbbeb06c09 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for parsing sophos firewall logs (wifi pipeline) +description: Pipeline for parsing Sophos XG firewall logs (wireless protection pipeline). processors: ####################### ## ECS Event Mapping ## @@ -10,7 +10,13 @@ processors: - set: field: event.outcome value: success - if: 'ctx?.sophos?.xg?.log_type == "Wireless Protection"' +- convert: + field: sophos.xg.clients_conn_ssid + type: long + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.clients_conn_ssid ############# ## Cleanup ## diff --git a/packages/sophos/data_stream/xg/fields/agent.yml b/packages/sophos/data_stream/xg/fields/agent.yml index e313ec82874..98998ae5498 100644 --- a/packages/sophos/data_stream/xg/fields/agent.yml +++ b/packages/sophos/data_stream/xg/fields/agent.yml @@ -202,3 +202,6 @@ - name: log.offset type: long description: Log offset +- name: log.source.address + type: keyword + ignore_above: 1024 diff --git a/packages/sophos/data_stream/xg/fields/ecs.yml b/packages/sophos/data_stream/xg/fields/ecs.yml index f950a9f86bd..f9c51c79c9e 100644 --- a/packages/sophos/data_stream/xg/fields/ecs.yml +++ b/packages/sophos/data_stream/xg/fields/ecs.yml @@ -1,52 +1,11 @@ -- external: ecs - name: client.as.number -- external: ecs - name: client.as.organization.name -- external: ecs - name: client.bytes -- external: ecs - name: client.domain -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- external: ecs - name: client.geo.name -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name -- external: ecs - name: client.ip -- external: ecs - name: client.mac -- external: ecs - name: client.nat.ip -- external: ecs - name: client.nat.port -- external: ecs - name: client.packets -- external: ecs - name: client.port -- external: ecs - name: client.user.email -- external: ecs - name: client.user.group.name -- external: ecs - name: client.user.name - external: ecs name: destination.as.number - external: ecs name: destination.as.organization.name - external: ecs name: destination.bytes +- external: ecs + name: destination.domain - external: ecs name: destination.geo.city_name - external: ecs @@ -106,6 +65,8 @@ name: event.outcome - external: ecs name: event.provider +- external: ecs + name: event.reason - external: ecs name: event.sequence - external: ecs @@ -152,6 +113,8 @@ name: message - external: ecs name: network.bytes +- external: ecs + name: network.community_id - external: ecs name: network.direction - external: ecs @@ -164,6 +127,8 @@ name: observer.egress.interface.name - external: ecs name: observer.egress.zone +- external: ecs + name: observer.hostname - external: ecs name: observer.ingress.interface.name - external: ecs @@ -176,8 +141,6 @@ name: observer.type - external: ecs name: observer.vendor -- external: ecs - name: observer.hostname - external: ecs name: related.hash - external: ecs @@ -194,43 +157,6 @@ name: rule.name - external: ecs name: rule.ruleset -- external: ecs - name: server.as.number -- external: ecs - name: server.as.organization.name -- external: ecs - name: server.bytes -- external: ecs - name: server.geo.city_name -- external: ecs - name: server.geo.continent_name -- external: ecs - name: server.geo.country_iso_code -- external: ecs - name: server.geo.country_name -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- external: ecs - name: server.geo.name -- external: ecs - name: server.geo.region_iso_code -- external: ecs - name: server.geo.region_name -- external: ecs - name: server.ip -- external: ecs - name: server.mac -- external: ecs - name: server.nat.ip -- external: ecs - name: server.nat.port -- external: ecs - name: server.packets -- external: ecs - name: server.port -- external: ecs - name: server.user.email - external: ecs name: source.as.number - external: ecs diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 72f84fd9dbb..6dd56deeab8 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -4,102 +4,62 @@ - name: xg type: group fields: - - name: device - type: keyword - description: | - device - - name: date - type: date - description: | - Date (yyyy-mm-dd) when the event occurred - - name: timezone - type: keyword - description: | - Time (hh:mm:ss) when the event occurred - - name: device_name + - name: action type: keyword description: | - Model number of the device - - name: device_model + Event Action + - name: activityname type: keyword description: | - Model number of the device - - name: device_id + Web policy activity that matched and caused the policy result. + - name: ap type: keyword description: | - Serial number of the device - - name: log_id + Access Point Serial ID or LocalWifi0 or LocalWifi1. + - name: app_category type: keyword description: | - Unique 12 characters code (0101011) - - name: log_type + Name of the category under which application falls + - name: app_filter_policy_id type: keyword description: | - Type of event e.g. firewall event - - name: log_component + Application filter policy ID applied on the traffic + - name: app_is_cloud type: keyword description: | - Component responsible for logging e.g. Firewall rule - - name: log_subtype + Application is Cloud + - name: app_name type: keyword description: | - Sub type of event - - name: hb_health + Application name + - name: app_resolved_by type: keyword description: | - Heartbeat status - - name: priority + Application is resolved by signature or synchronized application + - name: app_risk type: keyword description: | - Severity level of traffic - - name: status + Risk level assigned to the application + - name: app_technology type: keyword description: | - Ultimate status of traffic – Allowed or Denied - - name: duration - type: long - description: | - Durability of traffic (seconds) - - name: fw_rule_id + Technology of the application + - name: appfilter_policy_id type: integer description: | - Firewall Rule ID which is applied on the traffic - - name: user_name - type: keyword - description: | - user_name - - name: syslog_server_name - type: keyword - description: | - Syslog server name - - name: user_group - type: keyword - description: | - Group name to which the user belongs - - name: iap + Application Filter policy applied on the traffic + - name: application type: keyword description: | - Internet Access policy ID applied on the traffic - - name: ips_policy_id - type: integer - description: | - IPS policy ID applied on the traffic - - name: policy_type + Application name + - name: application_category type: keyword description: | - Policy type applied to the traffic - - name: appfilter_policy_id - type: integer - description: | - Application Filter policy applied on the traffic + Application is resolved by signature or synchronized application - name: application_filter_policy type: integer description: | Application Filter policy applied on the traffic - - name: application - type: keyword - description: | - Application name - name: application_name type: keyword description: | @@ -112,734 +72,759 @@ type: keyword description: | Technology of the application - - name: application_category - type: keyword - description: | - Application is resolved by signature or synchronized application - name: appresolvedby type: keyword description: | Technology of the application - - name: app_is_cloud + - name: auth_client type: keyword description: | - Application is Cloud - - name: in_interface + Auth Client + - name: auth_mechanism type: keyword description: | - Interface for incoming traffic, e.g., Port A - - name: out_interface + Auth mechanism + - name: av_policy_name type: keyword description: | - Interface for outgoing traffic, e.g., Port B - - name: src_ip - type: ip - description: | - Original source IP address of traffic - - name: src_mac + Malware scanning policy name which is applied on the traffic + - name: backup_mode type: keyword description: | - Original source MAC address of traffic - - name: src_country_code + Backup mode + - name: branch_name type: keyword description: | - Code of the country to which the source IP belongs - - name: dst_ip - type: ip - description: | - Original destination IP address of traffic - - name: dst_country_code + Branch Name + - name: category type: keyword description: | - Code of the country to which the destination IP belongs - - name: protocol + IPS signature category. + - name: category_type type: keyword description: | - Protocol number of traffic - - name: src_port - type: integer - description: | - Original source port of TCP and UDP traffic - - name: dst_port - type: integer - description: | - Original destination port of TCP and UDP traffic - - name: icmp_type + Type of category under which website falls + - name: classification type: keyword description: | - ICMP type of ICMP traffic - - name: icmp_code + Signature classification + - name: client_host_name type: keyword description: | - ICMP code of ICMP traffic - - name: sent_pkts - type: long - description: | - Total number of packets sent - - name: received_pkts - type: long + Client host name + - name: client_physical_address + type: keyword description: | - Total number of packets received - - name: sent_bytes + Client physical address + - name: clients_conn_ssid type: long description: | - Total number of bytes sent - - name: recv_bytes + Number of client connected to the SSID. + - name: collisions type: long description: | - Total number of bytes received - - name: trans_src_ ip - type: ip - description: | - Translated source IP address for outgoing traffic - - name: trans_src_port - type: integer - description: | - Translated source port for outgoing traffic - - name: trans_dst_ip - type: ip - description: | - Translated destination IP address for outgoing traffic - - name: trans_dst_port - type: integer - description: | - Translated destination port for outgoing traffic - - name: dir_disp - type: keyword - description: | - TPacket direction. Possible values:“org”, “reply”, “” - - name: connevent + collisions + - name: con_event type: keyword description: | - Event on which this log is generated - - name: conn_id + Event Start/Stop + - name: con_id type: integer description: | Unique identifier of connection - - name: vconn_id - type: integer + - name: configuration + type: float description: | - Connection ID of the master connection - - name: idp_policy_id + Configuration + - name: conn_id type: integer description: | - IPS policy ID which is applied on the traffic - - name: idp_policy_name - type: keyword - description: | - IPS policy name i.e. IPS policy name which is applied on the traffic - - name: signature_id + Unique identifier of connection + - name: connectionname type: keyword description: | - Signature ID - - name: signature_msg + Connectionname + - name: connectiontype type: keyword description: | - Signature messsage - - name: classification + Connectiontype + - name: connevent type: keyword description: | - Signature classification - - name: rule_priority + Event on which this log is generated + - name: connid type: keyword description: | - Priority of IPS policy - - name: platform + Connection ID + - name: content_type type: keyword description: | - Platform of the traffic. - - name: category + Type of the content + - name: contenttype type: keyword description: | - IPS signature category. - - name: target + Type of the content + - name: context_match type: keyword description: | - Platform of the traffic. - - name: eventid + Context Match + - name: context_prefix type: keyword description: | - ATP Evenet ID - - name: ep_uuid + Content Prefix + - name: context_suffix type: keyword description: | - Endpoint UUID - - name: threatname + Context Suffix + - name: cookie type: keyword description: | - ATP threatname - - name: sourceip - type: ip + cookie + - name: date + type: date description: | - Original source IP address of traffic + Date (yyyy-mm-dd) when the event occurred - name: destinationip type: ip description: | Original destination IP address of traffic - - name: login_user + - name: device type: keyword description: | - ATP login user - - name: eventtype + device + - name: device_id type: keyword description: | - ATP event type - - name: execution_path + Serial number of the device + - name: device_model type: keyword description: | - ATP execution path - - name: av_policy_name + Model number of the device + - name: device_name type: keyword description: | - Malware scanning policy name which is applied on the traffic - - name: from_email_address + Model number of the device + - name: dictionary_name type: keyword description: | - Sender email address - - name: to_email_address + Dictionary Name + - name: dir_disp type: keyword description: | - Receipeint email address - - name: subject + TPacket direction. Possible values:“org”, “reply”, “” + - name: direction type: keyword description: | - Email subject - - name: mailsize - type: integer + Direction + - name: domainname + type: keyword description: | - mailsize - - name: virus + Domain from which virus was downloaded + - name: download_file_name type: keyword description: | - virus name - - name: FTP_url + Download file name + - name: download_file_type type: keyword description: | - FTP URL from which virus was downloaded - - name: FTP_direction + Download file type + - name: dst_country_code type: keyword description: | - Direction of FTP transfer: Upload or Download - - name: filesize + Code of the country to which the destination IP belongs + - name: dst_domainname + type: keyword + description: | + Receiver domain name + - name: dst_ip + type: ip + description: | + Original destination IP address of traffic + - name: dst_port type: integer description: | - Size of the file that contained virus - - name: filepath + Original destination port of TCP and UDP traffic + - name: dst_zone_type type: keyword description: | - Path of the file containing virus - - name: filename + Type of destination zone + - name: dstdomain type: keyword description: | - File name associated with the event - - name: ftpcommand - type: keyword + Destination Domain + - name: duration + type: long description: | - FTP command used when virus was found - - name: url + Durability of traffic (seconds) + - name: email_subject type: keyword description: | - URL from which virus was downloaded - - name: domainname + Email Subject + - name: ep_uuid type: keyword description: | - Domain from which virus was downloaded - - name: quarantine + Endpoint UUID + - name: ether_type type: keyword description: | - Path and filename of the file quarantined - - name: src_domainname + ethernet frame type + - name: eventid type: keyword description: | - Sender domain name - - name: dst_domainname + ATP Evenet ID + - name: eventtime + type: date + description: | + Event time + - name: eventtype type: keyword description: | - Receiver domain name - - name: reason + ATP event type + - name: exceptions type: keyword description: | - Reason why the record was detected as spam/malicious - - name: referer + List of the checks excluded by web exceptions. + - name: execution_path type: keyword description: | - Referer - - name: spamaction + ATP execution path + - name: extra type: keyword description: | - Spam Action - - name: mailid + extra + - name: file_name type: keyword description: | - mailid - - name: quarantine_reason + Filename + - name: file_path type: keyword description: | - Quarantine reason - - name: status_code + File path + - name: file_size + type: integer + description: | + File Size + - name: filename type: keyword description: | - Status code - - name: override_token + File name associated with the event + - name: filepath type: keyword description: | - Override token - - name: con_id + Path of the file containing virus + - name: filesize type: integer description: | - Unique identifier of connection - - name: override_authorizer + Size of the file that contained virus + - name: free + type: integer + description: | + free + - name: from_email_address type: keyword description: | - Override authorizer - - name: transactionid + Sender email address + - name: ftp_direction type: keyword description: | - Transaction ID of the AV scan. - - name: upload_file_type + Direction of FTP transfer: Upload or Download + - name: ftp_url type: keyword description: | - Upload file type - - name: upload_file_name + FTP URL from which virus was downloaded + - name: ftpcommand type: keyword description: | - Upload file name - - name: httpresponsecode - type: long + FTP command used when virus was found + - name: fw_rule_id + type: integer description: | - code of HTTP response - - name: user_gp + Firewall Rule ID which is applied on the traffic + - name: fw_rule_type type: keyword description: | - Group name to which the user belongs. - - name: category_type + Firewall rule type which is applied on the traffic + - name: hb_health type: keyword description: | - Type of category under which website falls - - name: download_file_type + Heartbeat status + - name: hb_status type: keyword description: | - Download file type - - name: exceptions + Heartbeat status + - name: host type: keyword description: | - List of the checks excluded by web exceptions. - - name: contenttype + Host + - name: http_category type: keyword description: | - Type of the content - - name: override_name + HTTP Category + - name: http_category_type type: keyword description: | - Override name - - name: activityname - type: keyword + HTTP Category Type + - name: httpresponsecode + type: long description: | - Web policy activity that matched and caused the policy result. - - name: download_file_name + code of HTTP response + - name: iap type: keyword description: | - Download file name - - name: sha1sum + Internet Access policy ID applied on the traffic + - name: icmp_code type: keyword description: | - SHA1 checksum of the item being analyzed - - name: message_id + ICMP code of ICMP traffic + - name: icmp_type type: keyword description: | - Message ID - - name: connid - type: keyword + ICMP type of ICMP traffic + - name: idle_cpu + type: float description: | - Connection ID - - name: message + idle ## + - name: idp_policy_id + type: integer + description: | + IPS policy ID which is applied on the traffic + - name: idp_policy_name type: keyword description: | - Message - - name: email_subject + IPS policy name i.e. IPS policy name which is applied on the traffic + - name: in_interface type: keyword description: | - Email Subject - - name: file_path + Interface for incoming traffic, e.g., Port A + - name: interface type: keyword description: | - File path - - name: dstdomain + interface + - name: ipaddress type: keyword description: | - Destination Domain - - name: file_size + Ipaddress + - name: ips_policy_id type: integer description: | - File Size - - name: transaction_id - type: keyword - description: | - Transaction ID - - name: website + IPS policy ID applied on the traffic + - name: lease_time type: keyword description: | - Website - - name: file_name + Lease Time + - name: localgateway type: keyword description: | - Filename - - name: context_prefix + Localgateway + - name: localnetwork type: keyword description: | - Content Prefix - - name: site_category + Localnetwork + - name: log_component type: keyword description: | - Site Category - - name: context_suffix + Component responsible for logging e.g. Firewall rule + - name: log_id type: keyword description: | - Context Suffix - - name: dictionary_name + Unique 12 characters code (0101011) + - name: log_subtype type: keyword description: | - Dictionary Name - - name: action + Sub type of event + - name: log_type type: keyword description: | - Event Action - - name: user + Type of event e.g. firewall event + - name: log_version type: keyword description: | - User - - name: context_match + Log Version + - name: login_user type: keyword description: | - Context Match - - name: direction + ATP login user + - name: mailid type: keyword description: | - Direction - - name: auth_client - type: keyword - description: | - Auth Client - - name: auth_mechanism - type: keyword - description: | - Auth mechanism - - name: connectionname - type: keyword + mailid + - name: mailsize + type: integer description: | - Connectionname - - name: remotenetwork + mailsize + - name: message type: keyword description: | - remotenetwork - - name: localgateway + Message + - name: mode type: keyword description: | - Localgateway - - name: localnetwork + Mode + - name: nat_rule_id type: keyword description: | - Localnetwork - - name: connectiontype + NAT Rule ID + - name: newversion type: keyword description: | - Connectiontype + Newversion - name: oldversion type: keyword description: | Oldversion - - name: newversion - type: keyword - description: | - Newversion - - name: ipaddress + - name: out_interface type: keyword description: | - Ipaddress - - name: client_physical_address + Interface for outgoing traffic, e.g., Port B + - name: override_authorizer type: keyword description: | - Client physical address - - name: client_host_name + Override authorizer + - name: override_name type: keyword description: | - Client host name - - name: raw_data + Override name + - name: override_token type: keyword description: | - Raw data - - name: Mode + Override token + - name: phpsessid type: keyword description: | - Mode - - name: sessionid + PHP session ID + - name: platform type: keyword description: | - Sessionid - - name: starttime - type: date - description: | - Starttime - - name: remote_ip - type: ip - description: | - Remote IP - - name: timestamp - type: date - description: | - timestamp - - name: SysLog_SERVER_NAME + Platform of the traffic. + - name: policy_type type: keyword description: | - SysLog SERVER NAME - - name: backup_mode + Policy type applied to the traffic + - name: priority type: keyword description: | - Backup mode - - name: source + Severity level of traffic + - name: protocol type: keyword description: | - Source - - name: server + Protocol number of traffic + - name: qualifier type: keyword description: | - Server - - name: host + Qualifier + - name: quarantine type: keyword description: | - Host - - name: responsetime - type: long - description: | - Responsetime - - name: cookie + Path and filename of the file quarantined + - name: quarantine_reason type: keyword description: | - cookie + Quarantine reason - name: querystring type: keyword description: | querystring - - name: extra + - name: raw_data type: keyword description: | - extra - - name: PHPSESSID + Raw data + - name: received_pkts + type: long + description: | + Total number of packets received + - name: receiveddrops + type: long + description: | + received drops + - name: receivederrors type: keyword description: | - PHPSESSID - - name: start_time - type: date + received errors + - name: receivedkbits + type: long description: | - Start time - - name: eventtime - type: date + received kbits + - name: recv_bytes + type: long description: | - Event time + Total number of bytes received - name: red_id type: keyword description: | RED ID - - name: branch_name + - name: referer type: keyword description: | - Branch Name - - name: updatedip + Referer + - name: remote_ip type: ip description: | - updatedip - - name: idle_cpu - type: float - description: | - idle ## - - name: system_cpu - type: float - description: | - system - - name: user_cpu - type: float - description: | - system - - name: used - type: integer - description: | - used - - name: unit + Remote IP + - name: remotenetwork type: keyword description: | - unit - - name: total_memory - type: integer - description: | - Total Memory - - name: free - type: integer - description: | - free - - name: transmittederrors + remotenetwork + - name: reported_host type: keyword description: | - transmitted errors - - name: receivederrors + Reported Host + - name: reported_ip type: keyword description: | - received errors - - name: receivedkbits - type: long - description: | - received kbits - - name: transmittedkbits - type: long + Reported IP + - name: reports + type: float description: | - transmitted kbits - - name: transmitteddrops - type: long + Reports + - name: rule_priority + type: keyword description: | - transmitted drops - - name: receiveddrops + Priority of IPS policy + - name: sent_bytes type: long description: | - received drops - - name: collisions + Total number of bytes sent + - name: sent_pkts type: long description: | - collisions - - name: interface + Total number of packets sent + - name: server type: keyword description: | - interface - - name: Configuration - type: float + Server + - name: sessionid + type: keyword description: | - Configuration - - name: Reports - type: float + Sessionid + - name: sha1sum + type: keyword description: | - Reports - - name: Signature + SHA1 checksum of the item being analyzed + - name: signature type: float description: | Signature - - name: Temp - type: float + - name: signature_id + type: keyword description: | - Temp - - name: users + Signature ID + - name: signature_msg type: keyword description: | - users - - name: ssid + Signature messsage + - name: site_category type: keyword description: | - ssid - - name: ap + Site Category + - name: source type: keyword description: | - ap - - name: clients_conn_ssid + Source + - name: sourceip + type: ip + description: | + Original source IP address of traffic + - name: spamaction type: keyword description: | - clients connection ssid + Spam Action - name: sqli type: keyword description: | related SQLI caught by the WAF - - name: xss + - name: src_country_code type: keyword description: | - related XSS caught by the WAF - - name: ether_type + Code of the country to which the source IP belongs + - name: src_domainname type: keyword description: | - ethernet frame type - - name: app_category + Sender domain name + - name: src_ip + type: ip + description: | + Original source IP address of traffic + - name: src_mac type: keyword description: | - Name of the category under which application falls - - name: app_name + Original source MAC address of traffic + - name: src_port + type: integer + description: | + Original source port of TCP and UDP traffic + - name: src_zone_type + type: keyword + description: |- + Type of source zone + - name: ssid type: keyword description: | - Application name - - name: app_filter_policy_id + Configured SSID name. + - name: start_time + type: date + description: | + Start time + - name: starttime + type: date + description: | + Starttime + - name: status type: keyword description: | - Application filter policy ID applied on the traffic - - name: app_resolved_by + Ultimate status of traffic – Allowed or Denied + - name: status_code type: keyword description: | - Application is resolved by signature or synchronized application - - name: app_risk + Status code + - name: subject type: keyword description: | - Risk level assigned to the application - - name: app_technology + Email subject + - name: syslog_server_name type: keyword description: | - Technology of the application - - name: con_event + Syslog server name + - name: syslog_server_name type: keyword description: | - Event Start/Stop - - name: fw_rule_type + Syslog server name. + - name: system_cpu + type: float + description: | + system + - name: target type: keyword description: | - Firewall rule type which is applied on the traffic - - name: hb_status + Platform of the traffic. + - name: temp + type: float + description: | + Temp + - name: threatname type: keyword description: | - Heartbeat status - - name: log_version + ATP threatname + - name: timestamp + type: date + description: | + timestamp + - name: timezone type: keyword description: | - Log Version - - name: nat_rule_id + Time (hh:mm:ss) when the event occurred + - name: to_email_address type: keyword description: | - NAT Rule ID - - name: qualifier + Receipeint email address + - name: total_memory + type: integer + description: | + Total Memory + - name: trans_dst_ip + type: ip + description: | + Translated destination IP address for outgoing traffic + - name: trans_dst_port + type: integer + description: | + Translated destination port for outgoing traffic + - name: trans_src_ip + type: ip + description: | + Translated source IP address for outgoing traffic + - name: trans_src_port + type: integer + description: | + Translated source port for outgoing traffic + - name: transaction_id type: keyword description: | - Qualifier - - name: web_policy_id + Transaction ID + - name: transactionid type: keyword description: | - Web policy ID - - name: content_type + Transaction ID of the AV scan. + - name: transmitteddrops + type: long + description: | + transmitted drops + - name: transmittederrors type: keyword description: | - Type of the content - - name: http_category + transmitted errors + - name: transmittedkbits + type: long + description: | + transmitted kbits + - name: unit type: keyword description: | - HTTP Category - - name: http_category_type + unit + - name: updatedip + type: ip + description: | + updatedip + - name: upload_file_name type: keyword description: | - HTTP Category Type + Upload file name + - name: upload_file_type + type: keyword + description: | + Upload file type + - name: url + type: keyword + description: | + URL from which virus was downloaded + - name: used + type: integer + description: | + used - name: used_quota type: keyword description: | Used Quota - - name: lease_time + - name: user type: keyword description: | - Lease Time - - name: reported_host + User + - name: user_cpu + type: float + description: | + system + - name: user_gp type: keyword description: | - Reported Host - - name: reported_ip + Group name to which the user belongs. + - name: user_group type: keyword description: | - Reported IP - - name: dst_zone_type + Group name to which the user belongs + - name: user_name type: keyword description: | - Type of destination zone - - name: src_zone_type + user_name + - name: users + type: long + description: | + Number of users from System Health / Live User events. + - name: vconn_id + type: integer + description: | + Connection ID of the master connection + - name: virus type: keyword description: | - Type of source zone -- name: log.source.address - type: keyword - ignore_above: 1024 + virus name + - name: web_policy_id + type: keyword + description: | + Web policy ID + - name: website + type: keyword + description: | + Website + - name: xss + type: keyword + description: | + related XSS caught by the WAF diff --git a/packages/sophos/data_stream/xg/sample_event.json b/packages/sophos/data_stream/xg/sample_event.json index e81cd07991f..8d4524e509b 100644 --- a/packages/sophos/data_stream/xg/sample_event.json +++ b/packages/sophos/data_stream/xg/sample_event.json @@ -1,14 +1,11 @@ { "@timestamp": "2016-12-02T18:50:20.000Z", "agent": { - "ephemeral_id": "f43c7a66-9b0a-475c-89c5-16218fb4d7b5", - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", + "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "ip": "10.108.108.49" + "version": "8.1.2" }, "data_stream": { "dataset": "sophos.xg", @@ -19,9 +16,9 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "snapshot": true, - "version": "8.0.0" + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "snapshot": false, + "version": "8.1.2" }, "event": { "action": "alert", @@ -29,9 +26,9 @@ "category": [ "network" ], - "code": "058420116010", + "code": "16010", "dataset": "sophos.xg", - "ingested": "2022-01-25T18:07:40Z", + "ingested": "2022-04-20T20:13:02Z", "kind": "event", "outcome": "success", "severity": 1, @@ -46,7 +43,7 @@ "log": { "level": "alert", "source": { - "address": "172.25.0.7:50257" + "address": "172.31.0.8:48162" } }, "observer": { @@ -75,9 +72,9 @@ "direction": "in", "file_name": "cgi_echo.pl", "log_component": "Web Content Policy", + "log_id": "058420116010", "log_subtype": "Alert", "log_type": "Content Filtering", - "message_id": "16010", "site_category": "Information Technology", "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", "user": "gi123456", diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 88e9b8e8b44..f3b0b7798f0 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -9,7 +9,7 @@ Currently it accepts logs in syslog format or from a file for the following devi To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). -The syslog format choosen should be `Default`. +The syslog format chosen should be `Default`. ## Compatibility @@ -840,7 +840,9 @@ The `utm` dataset collects Astaro Security Gateway logs. ### XG log -This is the Sophos `xg` dataset. +This is the Sophos `xg` dataset. Reference information about the log formats +can be found in the [Sophos syslog guide]( +https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). An example event for `xg` looks as following: @@ -848,14 +850,11 @@ An example event for `xg` looks as following: { "@timestamp": "2016-12-02T18:50:20.000Z", "agent": { - "ephemeral_id": "f43c7a66-9b0a-475c-89c5-16218fb4d7b5", - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", + "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "ip": "10.108.108.49" + "version": "8.1.2" }, "data_stream": { "dataset": "sophos.xg", @@ -866,9 +865,9 @@ An example event for `xg` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "snapshot": true, - "version": "8.0.0" + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "snapshot": false, + "version": "8.1.2" }, "event": { "action": "alert", @@ -876,9 +875,9 @@ An example event for `xg` looks as following: "category": [ "network" ], - "code": "058420116010", + "code": "16010", "dataset": "sophos.xg", - "ingested": "2022-01-25T18:07:40Z", + "ingested": "2022-04-20T20:13:02Z", "kind": "event", "outcome": "success", "severity": 1, @@ -893,7 +892,7 @@ An example event for `xg` looks as following: "log": { "level": "alert", "source": { - "address": "172.25.0.7:50257" + "address": "172.31.0.8:48162" } }, "observer": { @@ -922,9 +921,9 @@ An example event for `xg` looks as following: "direction": "in", "file_name": "cgi_echo.pl", "log_component": "Web Content Policy", + "log_id": "058420116010", "log_subtype": "Alert", "log_type": "Content Filtering", - "message_id": "16010", "site_category": "Information Technology", "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", "user": "gi123456", @@ -946,29 +945,6 @@ An example event for `xg` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | -| client.packets | Packets sent from the client to the server. | long | -| client.port | Port of the client. | long | -| client.user.email | User email address. | keyword | -| client.user.group.name | Name of the group. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -989,6 +965,7 @@ An example event for `xg` looks as following: | destination.as.organization.name | Organization name. | keyword | | destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | @@ -1020,6 +997,7 @@ An example event for `xg` looks as following: | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.start | event.start contains the date when the event started or when the activity was first observed. | date | @@ -1063,6 +1041,7 @@ An example event for `xg` looks as following: | log.source.address | | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -1084,37 +1063,9 @@ An example event for `xg` looks as following: | rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| server.as.organization.name | Organization name. | keyword | -| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | -| server.packets | Packets sent from the server to the client. | long | -| server.port | Port of the server. | long | -| server.user.email | User email address. | keyword | -| sophos.xg.Configuration | Configuration | float | -| sophos.xg.FTP_direction | Direction of FTP transfer: Upload or Download | keyword | -| sophos.xg.FTP_url | FTP URL from which virus was downloaded | keyword | -| sophos.xg.Mode | Mode | keyword | -| sophos.xg.PHPSESSID | PHPSESSID | keyword | -| sophos.xg.Reports | Reports | float | -| sophos.xg.Signature | Signature | float | -| sophos.xg.SysLog_SERVER_NAME | SysLog SERVER NAME | keyword | -| sophos.xg.Temp | Temp | float | | sophos.xg.action | Event Action | keyword | | sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | -| sophos.xg.ap | ap | keyword | +| sophos.xg.ap | Access Point Serial ID or LocalWifi0 or LocalWifi1. | keyword | | sophos.xg.app_category | Name of the category under which application falls | keyword | | sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | | sophos.xg.app_is_cloud | Application is Cloud | keyword | @@ -1140,10 +1091,11 @@ An example event for `xg` looks as following: | sophos.xg.classification | Signature classification | keyword | | sophos.xg.client_host_name | Client host name | keyword | | sophos.xg.client_physical_address | Client physical address | keyword | -| sophos.xg.clients_conn_ssid | clients connection ssid | keyword | +| sophos.xg.clients_conn_ssid | Number of client connected to the SSID. | long | | sophos.xg.collisions | collisions | long | | sophos.xg.con_event | Event Start/Stop | keyword | | sophos.xg.con_id | Unique identifier of connection | integer | +| sophos.xg.configuration | Configuration | float | | sophos.xg.conn_id | Unique identifier of connection | integer | | sophos.xg.connectionname | Connectionname | keyword | | sophos.xg.connectiontype | Connectiontype | keyword | @@ -1191,6 +1143,8 @@ An example event for `xg` looks as following: | sophos.xg.filesize | Size of the file that contained virus | integer | | sophos.xg.free | free | integer | | sophos.xg.from_email_address | Sender email address | keyword | +| sophos.xg.ftp_direction | Direction of FTP transfer: Upload or Download | keyword | +| sophos.xg.ftp_url | FTP URL from which virus was downloaded | keyword | | sophos.xg.ftpcommand | FTP command used when virus was found | keyword | | sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | | sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | @@ -1222,7 +1176,7 @@ An example event for `xg` looks as following: | sophos.xg.mailid | mailid | keyword | | sophos.xg.mailsize | mailsize | integer | | sophos.xg.message | Message | keyword | -| sophos.xg.message_id | Message ID | keyword | +| sophos.xg.mode | Mode | keyword | | sophos.xg.nat_rule_id | NAT Rule ID | keyword | | sophos.xg.newversion | Newversion | keyword | | sophos.xg.oldversion | Oldversion | keyword | @@ -1230,6 +1184,7 @@ An example event for `xg` looks as following: | sophos.xg.override_authorizer | Override authorizer | keyword | | sophos.xg.override_name | Override name | keyword | | sophos.xg.override_token | Override token | keyword | +| sophos.xg.phpsessid | PHP session ID | keyword | | sophos.xg.platform | Platform of the traffic. | keyword | | sophos.xg.policy_type | Policy type applied to the traffic | keyword | | sophos.xg.priority | Severity level of traffic | keyword | @@ -1239,7 +1194,6 @@ An example event for `xg` looks as following: | sophos.xg.quarantine_reason | Quarantine reason | keyword | | sophos.xg.querystring | querystring | keyword | | sophos.xg.raw_data | Raw data | keyword | -| sophos.xg.reason | Reason why the record was detected as spam/malicious | keyword | | sophos.xg.received_pkts | Total number of packets received | long | | sophos.xg.receiveddrops | received drops | long | | sophos.xg.receivederrors | received errors | keyword | @@ -1251,13 +1205,14 @@ An example event for `xg` looks as following: | sophos.xg.remotenetwork | remotenetwork | keyword | | sophos.xg.reported_host | Reported Host | keyword | | sophos.xg.reported_ip | Reported IP | keyword | -| sophos.xg.responsetime | Responsetime | long | +| sophos.xg.reports | Reports | float | | sophos.xg.rule_priority | Priority of IPS policy | keyword | | sophos.xg.sent_bytes | Total number of bytes sent | long | | sophos.xg.sent_pkts | Total number of packets sent | long | | sophos.xg.server | Server | keyword | | sophos.xg.sessionid | Sessionid | keyword | | sophos.xg.sha1sum | SHA1 checksum of the item being analyzed | keyword | +| sophos.xg.signature | Signature | float | | sophos.xg.signature_id | Signature ID | keyword | | sophos.xg.signature_msg | Signature messsage | keyword | | sophos.xg.site_category | Site Category | keyword | @@ -1271,15 +1226,16 @@ An example event for `xg` looks as following: | sophos.xg.src_mac | Original source MAC address of traffic | keyword | | sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | | sophos.xg.src_zone_type | Type of source zone | keyword | -| sophos.xg.ssid | ssid | keyword | +| sophos.xg.ssid | Configured SSID name. | keyword | | sophos.xg.start_time | Start time | date | | sophos.xg.starttime | Starttime | date | | sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | | sophos.xg.status_code | Status code | keyword | | sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | +| sophos.xg.syslog_server_name | Syslog server name. | keyword | | sophos.xg.system_cpu | system | float | | sophos.xg.target | Platform of the traffic. | keyword | +| sophos.xg.temp | Temp | float | | sophos.xg.threatname | ATP threatname | keyword | | sophos.xg.timestamp | timestamp | date | | sophos.xg.timezone | Time (hh:mm:ss) when the event occurred | keyword | @@ -1287,7 +1243,7 @@ An example event for `xg` looks as following: | sophos.xg.total_memory | Total Memory | integer | | sophos.xg.trans_dst_ip | Translated destination IP address for outgoing traffic | ip | | sophos.xg.trans_dst_port | Translated destination port for outgoing traffic | integer | -| sophos.xg.trans_src_ ip | Translated source IP address for outgoing traffic | ip | +| sophos.xg.trans_src_ip | Translated source IP address for outgoing traffic | ip | | sophos.xg.trans_src_port | Translated source port for outgoing traffic | integer | | sophos.xg.transaction_id | Transaction ID | keyword | | sophos.xg.transactionid | Transaction ID of the AV scan. | keyword | @@ -1306,7 +1262,7 @@ An example event for `xg` looks as following: | sophos.xg.user_gp | Group name to which the user belongs. | keyword | | sophos.xg.user_group | Group name to which the user belongs | keyword | | sophos.xg.user_name | user_name | keyword | -| sophos.xg.users | users | keyword | +| sophos.xg.users | Number of users from System Health / Live User events. | long | | sophos.xg.vconn_id | Connection ID of the master connection | integer | | sophos.xg.virus | virus name | keyword | | sophos.xg.web_policy_id | Web policy ID | keyword | diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index d6c7c8cb12d..c324445400b 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,14 +1,14 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.2.3 +version: 2.0.0 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga license: basic type: integration conditions: - kibana.version: "^7.14.1 || ^8.0.0" + kibana.version: "^7.17.0 || ^8.0.0" policy_templates: - name: sophos title: Sophos logs diff --git a/packages/spring_boot/_dev/build/docs/README.md b/packages/spring_boot/_dev/build/docs/README.md index e423759a5e0..b269b95eeb0 100644 --- a/packages/spring_boot/_dev/build/docs/README.md +++ b/packages/spring_boot/_dev/build/docs/README.md @@ -47,3 +47,15 @@ This is the `http_trace` data stream. {{event "http_trace"}} {{fields "http_trace"}} + +## Metrics + +### Memory Metrics + +This is the `memory` data stream. + +- This data stream gives metrics related to heap and non-heap memory, buffer pool and manager. + +{{event "memory"}} + +{{fields "memory"}} \ No newline at end of file diff --git a/packages/spring_boot/changelog.yml b/packages/spring_boot/changelog.yml index 79f201be8a6..b51f1e84b46 100644 --- a/packages/spring_boot/changelog.yml +++ b/packages/spring_boot/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: memory data stream of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2979 - version: "0.2.0" changes: - description: http_trace data stream of the package diff --git a/packages/spring_boot/data_stream/memory/_dev/test/system/test-default-config.yml b/packages/spring_boot/data_stream/memory/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..3fc097c4279 --- /dev/null +++ b/packages/spring_boot/data_stream/memory/_dev/test/system/test-default-config.yml @@ -0,0 +1,6 @@ +vars: + hosts: http://springboot:8090/actuator/jolokia + path: /jolokia/?ignoreErrors=true&canonicalNaming=false +input: jolokia/metrics +data_stream: + vars: ~ diff --git a/packages/spring_boot/data_stream/memory/agent/stream/stream.yml.hbs b/packages/spring_boot/data_stream/memory/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..68a8353beec --- /dev/null +++ b/packages/spring_boot/data_stream/memory/agent/stream/stream.yml.hbs @@ -0,0 +1,47 @@ +metricsets: ["jmx"] +namespace: "metrics" +hosts: {{hosts}} +http_method: "GET" +path: {{path}} +username: {{username}} +password: {{password}} +period: {{period}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +jmx.mappings: + - mbean: 'java.lang:type=Memory' + attributes: + - attr: HeapMemoryUsage + field: heap + - attr: NonHeapMemoryUsage + field: non_heap + - mbean: 'java.nio:name=direct,type=BufferPool' + attributes: + - attr: TotalCapacity + field: buffer_pool.direct.total_capacity + - attr: MemoryUsed + field: buffer_pool.direct.used + - attr: Count + field: buffer_pool.direct.count + - mbean: 'java.nio:name=mapped,type=BufferPool' + attributes: + - attr: TotalCapacity + field: buffer_pool.mapped.total_capacity + - attr: MemoryUsed + field: buffer_pool.mapped.used + - attr: Count + field: buffer_pool.mapped.count + - mbean: 'java.lang:name=CodeCacheManager,type=MemoryManager' + attributes: + - attr: Valid + field: manager.code_cache.valid + - attr: Name + field: manager.code_cache.name + - mbean: 'java.lang:name=Metaspace Manager,type=MemoryManager' + attributes: + - attr: Valid + field: manager.metaspace.valid + - attr: Name + field: manager.metaspace.name + \ No newline at end of file diff --git a/packages/spring_boot/data_stream/memory/elasticsearch/ingest_pipeline/default.yml b/packages/spring_boot/data_stream/memory/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..6989bb1873a --- /dev/null +++ b/packages/spring_boot/data_stream/memory/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,38 @@ +--- +description: Pipeline for parsing Spring Boot Memory metrics. +processors: + - set: + field: ecs.version + value: "8.1.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - rename: + field: jolokia.metrics + target_field: spring_boot.memory + ignore_missing: true + ignore_failure: true + - set: + field: event.type + value: info + - set: + field: event.kind + value: metric + - set: + field: event.category + value: database + - set: + field: event.module + value: spring_boot + - set: + field: event.dataset + value: spring_boot.memory + - remove: + field: jolokia + ignore_missing: true + ignore_failure: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/spring_boot/data_stream/memory/fields/base-fields.yml b/packages/spring_boot/data_stream/memory/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/spring_boot/data_stream/memory/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/spring_boot/data_stream/memory/fields/ecs.yml b/packages/spring_boot/data_stream/memory/fields/ecs.yml new file mode 100644 index 00000000000..666902b9439 --- /dev/null +++ b/packages/spring_boot/data_stream/memory/fields/ecs.yml @@ -0,0 +1,16 @@ +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: service.address +- external: ecs + name: service.type diff --git a/packages/spring_boot/data_stream/memory/fields/fields.yml b/packages/spring_boot/data_stream/memory/fields/fields.yml new file mode 100644 index 00000000000..4136734f342 --- /dev/null +++ b/packages/spring_boot/data_stream/memory/fields/fields.yml @@ -0,0 +1,84 @@ +- name: spring_boot + type: group + fields: + - name: memory + type: group + fields: + - name: buffer_pool + type: group + fields: + - name: direct + type: group + fields: + - name: count + type: long + description: Count of direct buffer pool memory + - name: used + type: long + description: Used memory of direct buffer pool + - name: total_capacity + type: long + description: Total capacity of direct buffer pool memory + - name: mapped + type: group + fields: + - name: count + type: long + description: Count of mapped buffer pool memory + - name: used + type: long + description: Used memory of mapped buffer pool + - name: total_capacity + type: long + description: Total capacity of mapped buffer pool memory + - name: heap + type: group + fields: + - name: committed + type: long + description: Committed heap memory usage of JVM + - name: init + type: long + description: Init heap memory usage of JVM + - name: max + type: long + description: Max heap memory usage of JVM + - name: used + type: long + description: Used heap memory usage of JVM + - name: non_heap + type: group + fields: + - name: committed + type: long + description: Committed non-heap memory usage of JVM + - name: init + type: long + description: Init non-heap memory usage of JVM + - name: max + type: long + description: Max non-heap memory usage of JVM + - name: used + type: long + description: Used non-heap memory usage of JVM + - name: manager + type: group + fields: + - name: code_cache + type: group + fields: + - name: name + type: keyword + description: Name of the cacheManager to qualify the cache + - name: valid + type: boolean + description: Validation of code cache + - name: metaspace + type: group + fields: + - name: name + type: keyword + description: Name of the Metaspace Manager to qualify the cache + - name: valid + type: boolean + description: Validation of metaspace manager diff --git a/packages/spring_boot/data_stream/memory/manifest.yml b/packages/spring_boot/data_stream/memory/manifest.yml new file mode 100644 index 00000000000..c24c1b9de44 --- /dev/null +++ b/packages/spring_boot/data_stream/memory/manifest.yml @@ -0,0 +1,21 @@ +title: Memory Metrics +type: metrics +streams: + - input: jolokia/metrics + template_path: stream.yml.hbs + title: Memory metrics + description: Collect Spring Boot Memory metrics. + vars: + - name: period + type: text + title: Period + default: 60s + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/spring_boot/data_stream/memory/sample_event.json b/packages/spring_boot/data_stream/memory/sample_event.json new file mode 100644 index 00000000000..cf75025be64 --- /dev/null +++ b/packages/spring_boot/data_stream/memory/sample_event.json @@ -0,0 +1,78 @@ +{ + "@timestamp": "2022-04-20T13:03:45.533Z", + "agent": { + "ephemeral_id": "c9cba3ad-ab82-4f17-95b1-a92257a086b0", + "id": "f7cd0ea7-4d35-4573-956a-021aa2718bbe", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "data_stream": { + "dataset": "spring_boot.memory", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "f7cd0ea7-4d35-4573-956a-021aa2718bbe", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "category": "database", + "dataset": "spring_boot.memory", + "duration": 498219023, + "ingested": "2022-04-20T13:03:48Z", + "kind": "metric", + "module": "spring_boot", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.144.4" + ], + "mac": [ + "02:42:c0:a8:90:04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.59.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://springboot:8090/actuator/jolokia", + "type": "jolokia" + }, + "spring_boot": { + "memory": { + "heap": { + "committed": 303038464, + "init": 96468992, + "max": 1350041600, + "used": 135078232 + }, + "non_heap": { + "committed": 60882944, + "init": 2555904, + "max": -1, + "used": 55917256 + } + } + } +} \ No newline at end of file diff --git a/packages/spring_boot/docs/README.md b/packages/spring_boot/docs/README.md index 9a4b277d286..7b4d8d7ebb0 100644 --- a/packages/spring_boot/docs/README.md +++ b/packages/spring_boot/docs/README.md @@ -225,3 +225,129 @@ An example event for `http_trace` looks as following: | spring_boot.http_trace.session | Session associated with the exchange | keyword | | tags | List of keywords used to tag each event. | keyword | + +## Metrics + +### Memory Metrics + +This is the `memory` data stream. + +- This data stream gives metrics related to heap and non-heap memory, buffer pool and manager. + +An example event for `memory` looks as following: + +```json +{ + "@timestamp": "2022-04-20T13:03:45.533Z", + "agent": { + "ephemeral_id": "c9cba3ad-ab82-4f17-95b1-a92257a086b0", + "id": "f7cd0ea7-4d35-4573-956a-021aa2718bbe", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.1.0" + }, + "data_stream": { + "dataset": "spring_boot.memory", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.1.0" + }, + "elastic_agent": { + "id": "f7cd0ea7-4d35-4573-956a-021aa2718bbe", + "snapshot": false, + "version": "8.1.0" + }, + "event": { + "agent_id_status": "verified", + "category": "database", + "dataset": "spring_boot.memory", + "duration": 498219023, + "ingested": "2022-04-20T13:03:48Z", + "kind": "metric", + "module": "spring_boot", + "type": "info" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.144.4" + ], + "mac": [ + "02:42:c0:a8:90:04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.59.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "jmx", + "period": 60000 + }, + "service": { + "address": "http://springboot:8090/actuator/jolokia", + "type": "jolokia" + }, + "spring_boot": { + "memory": { + "heap": { + "committed": 303038464, + "init": 96468992, + "max": 1350041600, + "used": 135078232 + }, + "non_heap": { + "committed": 60882944, + "init": 2555904, + "max": -1, + "used": 55917256 + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| spring_boot.memory.buffer_pool.direct.count | Count of direct buffer pool memory | long | +| spring_boot.memory.buffer_pool.direct.total_capacity | Total capacity of direct buffer pool memory | long | +| spring_boot.memory.buffer_pool.direct.used | Used memory of direct buffer pool | long | +| spring_boot.memory.buffer_pool.mapped.count | Count of mapped buffer pool memory | long | +| spring_boot.memory.buffer_pool.mapped.total_capacity | Total capacity of mapped buffer pool memory | long | +| spring_boot.memory.buffer_pool.mapped.used | Used memory of mapped buffer pool | long | +| spring_boot.memory.heap.committed | Committed heap memory usage of JVM | long | +| spring_boot.memory.heap.init | Init heap memory usage of JVM | long | +| spring_boot.memory.heap.max | Max heap memory usage of JVM | long | +| spring_boot.memory.heap.used | Used heap memory usage of JVM | long | +| spring_boot.memory.manager.code_cache.name | Name of the cacheManager to qualify the cache | keyword | +| spring_boot.memory.manager.code_cache.valid | Validation of code cache | boolean | +| spring_boot.memory.manager.metaspace.name | Name of the Metaspace Manager to qualify the cache | keyword | +| spring_boot.memory.manager.metaspace.valid | Validation of metaspace manager | boolean | +| spring_boot.memory.non_heap.committed | Committed non-heap memory usage of JVM | long | +| spring_boot.memory.non_heap.init | Init non-heap memory usage of JVM | long | +| spring_boot.memory.non_heap.max | Max non-heap memory usage of JVM | long | +| spring_boot.memory.non_heap.used | Used non-heap memory usage of JVM | long | diff --git a/packages/spring_boot/manifest.yml b/packages/spring_boot/manifest.yml index 737ed2dfda6..f2073cba0e0 100644 --- a/packages/spring_boot/manifest.yml +++ b/packages/spring_boot/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: spring_boot title: Spring Boot -version: 0.2.0 +version: 0.3.0 license: basic description: This Elastic integration collects logs and metrics from Spring Boot integration. type: integration @@ -40,5 +40,45 @@ policy_templates: required: false show_user: false default: "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE----- \n" + - type: jolokia/metrics + title: Collect Spring Boot metrics of Memory. + description: Collecting metrics from Spring Boot of Memory. + vars: + - name: path + type: text + title: Path + multi: false + required: true + show_user: false + default: /jolokia/?ignoreErrors=true&canonicalNaming=false + - name: username + type: text + title: Username + multi: false + required: false + show_user: false + default: actuator + - name: password + type: password + title: Password + multi: false + required: false + show_user: false + default: actuator + - name: hosts + type: text + title: Hosts + multi: false + required: true + show_user: true + description: "Host for Spring Boot metrics. (example: http://localhost:8090/actuator/jolokia)." + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE----- \n" owner: github: elastic/obs-service-integrations