From f5edbedb966c6e7296d78712a4aa290563ef8bce Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 3 Aug 2020 19:11:25 +0200 Subject: [PATCH] [Filebeat][SophosXG Module] Renaming module and fileset (#20396) renaming sophosxg module to sophos, and renaming fileset to better support future filesets (cherry picked from commit 778a92fa78cbdeab0377525dd83b18a048e94ff8) --- filebeat/docs/fields.asciidoc | 386 ++++---- .../{sophosxg.asciidoc => sophos.asciidoc} | 31 +- filebeat/docs/modules_list.asciidoc | 4 +- x-pack/filebeat/filebeat.reference.yml | 10 +- x-pack/filebeat/include/list.go | 2 +- .../{sophosxg => sophos}/_meta/config.yml | 8 +- .../{sophosxg => sophos}/_meta/docs.asciidoc | 27 +- .../{sophosxg => sophos}/_meta/fields.yml | 8 +- x-pack/filebeat/module/sophos/fields.go | 23 + .../module/{sophosxg => sophos}/module.yml | 0 .../firewall => sophos/xg}/_meta/fields.yml | 79 +- .../xg/config/config.yml} | 0 .../xg}/ingest/antispam.yml | 52 +- .../xg}/ingest/antivirus.yml | 110 +-- .../firewall => sophos/xg}/ingest/atp.yml | 50 +- .../firewall => sophos/xg}/ingest/cfilter.yml | 74 +- .../firewall => sophos/xg}/ingest/event.yml | 76 +- .../xg}/ingest/firewall.yml | 128 +-- .../firewall => sophos/xg}/ingest/idp.yml | 54 +- .../xg}/ingest/pipeline.yml | 74 +- .../xg}/ingest/sandstorm.yml | 54 +- .../firewall => sophos/xg}/ingest/waf.yml | 80 +- .../firewall => sophos/xg}/ingest/wifi.yml | 2 +- .../firewall => sophos/xg}/manifest.yml | 5 +- .../firewall => sophos/xg}/test/anti-spam.log | 0 .../xg}/test/anti-spam.log-expected.json | 476 ++++----- .../xg}/test/anti-virus.log | 0 .../xg}/test/anti-virus.log-expected.json | 284 +++--- .../firewall => sophos/xg}/test/atp.log | 0 .../xg}/test/atp.log-expected.json | 112 +-- .../firewall => sophos/xg}/test/cfilter.log | 0 .../xg}/test/cfilter.log-expected.json | 334 +++---- .../firewall => sophos/xg}/test/event.log | 0 .../xg}/test/event.log-expected.json | 446 ++++----- .../firewall => sophos/xg}/test/firewall.log | 0 .../xg}/test/firewall.log-expected.json | 908 ++++++++++-------- .../firewall => sophos/xg}/test/idp.log | 0 .../xg}/test/idp.log-expected.json | 200 ++-- .../firewall => sophos/xg}/test/sandbox.log | 0 .../xg}/test/sandbox.log-expected.json | 172 ++-- .../firewall => sophos/xg}/test/waf.log | 0 .../xg}/test/waf.log-expected.json | 178 ++-- .../firewall => sophos/xg}/test/wifi.log | 0 .../xg}/test/wifi.log-expected.json | 60 +- x-pack/filebeat/module/sophosxg/fields.go | 23 - .../sophosxg/firewall/ingest/systemhealth.yml | 158 --- ...hosxg.yml.disabled => sophos.yml.disabled} | 12 +- 47 files changed, 2307 insertions(+), 2393 deletions(-) rename filebeat/docs/modules/{sophosxg.asciidoc => sophos.asciidoc} (85%) rename x-pack/filebeat/module/{sophosxg => sophos}/_meta/config.yml (88%) rename x-pack/filebeat/module/{sophosxg => sophos}/_meta/docs.asciidoc (86%) rename x-pack/filebeat/module/{sophosxg => sophos}/_meta/fields.yml (50%) create mode 100644 x-pack/filebeat/module/sophos/fields.go rename x-pack/filebeat/module/{sophosxg => sophos}/module.yml (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/_meta/fields.yml (98%) rename x-pack/filebeat/module/{sophosxg/firewall/config/firewall.yml => sophos/xg/config/config.yml} (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/antispam.yml (82%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/antivirus.yml (71%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/atp.yml (81%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/cfilter.yml (75%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/event.yml (72%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/firewall.yml (77%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/idp.yml (80%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/pipeline.yml (73%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/sandstorm.yml (62%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/waf.yml (74%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/ingest/wifi.yml (84%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/manifest.yml (88%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/anti-spam.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/anti-spam.log-expected.json (68%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/anti-virus.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/anti-virus.log-expected.json (74%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/atp.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/atp.log-expected.json (78%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/cfilter.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/cfilter.log-expected.json (73%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/event.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/event.log-expected.json (68%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/firewall.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/firewall.log-expected.json (74%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/idp.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/idp.log-expected.json (69%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/sandbox.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/sandbox.log-expected.json (70%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/waf.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/waf.log-expected.json (72%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/wifi.log (100%) rename x-pack/filebeat/module/{sophosxg/firewall => sophos/xg}/test/wifi.log-expected.json (56%) delete mode 100644 x-pack/filebeat/module/sophosxg/fields.go delete mode 100644 x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml rename x-pack/filebeat/modules.d/{sophosxg.yml.disabled => sophos.yml.disabled} (75%) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 3511e142026..637134f13d4 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -76,7 +76,7 @@ grouped in the following categories: * <> * <> * <> -* <> +* <> * <> * <> * <> @@ -122133,27 +122133,27 @@ type: keyword -- -[[exported-fields-sophosxg]] -== sophosxg fields +[[exported-fields-sophos]] +== sophos fields -sophosxg Module +sophos Module [float] -=== sophosxg +=== sophos [float] -=== firewall +=== xg Module for parsing sophosxg syslog. -*`sophosxg.firewall.device`*:: +*`sophos.xg.device`*:: + -- device @@ -122163,7 +122163,7 @@ type: keyword -- -*`sophosxg.firewall.date`*:: +*`sophos.xg.date`*:: + -- Date (yyyy-mm-dd) when the event occurred @@ -122173,7 +122173,7 @@ type: date -- -*`sophosxg.firewall.timezone`*:: +*`sophos.xg.timezone`*:: + -- Time (hh:mm:ss) when the event occurred @@ -122183,7 +122183,7 @@ type: keyword -- -*`sophosxg.firewall.device_name`*:: +*`sophos.xg.device_name`*:: + -- Model number of the device @@ -122193,7 +122193,7 @@ type: keyword -- -*`sophosxg.firewall.device_id`*:: +*`sophos.xg.device_id`*:: + -- Serial number of the device @@ -122203,7 +122203,7 @@ type: keyword -- -*`sophosxg.firewall.log_id`*:: +*`sophos.xg.log_id`*:: + -- Unique 12 characters code (0101011) @@ -122213,7 +122213,7 @@ type: keyword -- -*`sophosxg.firewall.log_type`*:: +*`sophos.xg.log_type`*:: + -- Type of event e.g. firewall event @@ -122223,7 +122223,7 @@ type: keyword -- -*`sophosxg.firewall.log_component`*:: +*`sophos.xg.log_component`*:: + -- Component responsible for logging e.g. Firewall rule @@ -122233,7 +122233,7 @@ type: keyword -- -*`sophosxg.firewall.log_subtype`*:: +*`sophos.xg.log_subtype`*:: + -- Sub type of event @@ -122243,7 +122243,7 @@ type: keyword -- -*`sophosxg.firewall.hb_health`*:: +*`sophos.xg.hb_health`*:: + -- Heartbeat status @@ -122253,7 +122253,7 @@ type: keyword -- -*`sophosxg.firewall.priority`*:: +*`sophos.xg.priority`*:: + -- Severity level of traffic @@ -122263,7 +122263,7 @@ type: keyword -- -*`sophosxg.firewall.status`*:: +*`sophos.xg.status`*:: + -- Ultimate status of traffic – Allowed or Denied @@ -122273,7 +122273,7 @@ type: keyword -- -*`sophosxg.firewall.duration`*:: +*`sophos.xg.duration`*:: + -- Durability of traffic (seconds) @@ -122283,7 +122283,7 @@ type: long -- -*`sophosxg.firewall.fw_rule_id`*:: +*`sophos.xg.fw_rule_id`*:: + -- Firewall Rule ID which is applied on the traffic @@ -122293,7 +122293,7 @@ type: integer -- -*`sophosxg.firewall.user_name`*:: +*`sophos.xg.user_name`*:: + -- user_name @@ -122303,7 +122303,7 @@ type: keyword -- -*`sophosxg.firewall.user_group`*:: +*`sophos.xg.user_group`*:: + -- Group name to which the user belongs @@ -122313,7 +122313,7 @@ type: keyword -- -*`sophosxg.firewall.iap`*:: +*`sophos.xg.iap`*:: + -- Internet Access policy ID applied on the traffic @@ -122323,7 +122323,7 @@ type: keyword -- -*`sophosxg.firewall.ips_policy_id`*:: +*`sophos.xg.ips_policy_id`*:: + -- IPS policy ID applied on the traffic @@ -122333,7 +122333,7 @@ type: integer -- -*`sophosxg.firewall.policy_type`*:: +*`sophos.xg.policy_type`*:: + -- Policy type applied to the traffic @@ -122343,7 +122343,7 @@ type: keyword -- -*`sophosxg.firewall.appfilter_policy_id`*:: +*`sophos.xg.appfilter_policy_id`*:: + -- Application Filter policy applied on the traffic @@ -122353,7 +122353,7 @@ type: integer -- -*`sophosxg.firewall.application_filter_policy`*:: +*`sophos.xg.application_filter_policy`*:: + -- Application Filter policy applied on the traffic @@ -122363,7 +122363,7 @@ type: integer -- -*`sophosxg.firewall.application`*:: +*`sophos.xg.application`*:: + -- Application name @@ -122373,7 +122373,7 @@ type: keyword -- -*`sophosxg.firewall.application_name`*:: +*`sophos.xg.application_name`*:: + -- Application name @@ -122383,7 +122383,7 @@ type: keyword -- -*`sophosxg.firewall.application_risk`*:: +*`sophos.xg.application_risk`*:: + -- Risk level assigned to the application @@ -122393,7 +122393,7 @@ type: keyword -- -*`sophosxg.firewall.application_technology`*:: +*`sophos.xg.application_technology`*:: + -- Technology of the application @@ -122403,7 +122403,7 @@ type: keyword -- -*`sophosxg.firewall.application_category`*:: +*`sophos.xg.application_category`*:: + -- Application is resolved by signature or synchronized application @@ -122413,7 +122413,7 @@ type: keyword -- -*`sophosxg.firewall.appresolvedby`*:: +*`sophos.xg.appresolvedby`*:: + -- Technology of the application @@ -122423,7 +122423,7 @@ type: keyword -- -*`sophosxg.firewall.app_is_cloud`*:: +*`sophos.xg.app_is_cloud`*:: + -- Application is Cloud @@ -122433,7 +122433,7 @@ type: keyword -- -*`sophosxg.firewall.in_interface`*:: +*`sophos.xg.in_interface`*:: + -- Interface for incoming traffic, e.g., Port A @@ -122443,7 +122443,7 @@ type: keyword -- -*`sophosxg.firewall.out_interface`*:: +*`sophos.xg.out_interface`*:: + -- Interface for outgoing traffic, e.g., Port B @@ -122453,7 +122453,7 @@ type: keyword -- -*`sophosxg.firewall.src_ip`*:: +*`sophos.xg.src_ip`*:: + -- Original source IP address of traffic @@ -122463,7 +122463,7 @@ type: ip -- -*`sophosxg.firewall.src_mac`*:: +*`sophos.xg.src_mac`*:: + -- Original source MAC address of traffic @@ -122473,7 +122473,7 @@ type: keyword -- -*`sophosxg.firewall.src_country_code`*:: +*`sophos.xg.src_country_code`*:: + -- Code of the country to which the source IP belongs @@ -122483,7 +122483,7 @@ type: keyword -- -*`sophosxg.firewall.dst_ip`*:: +*`sophos.xg.dst_ip`*:: + -- Original destination IP address of traffic @@ -122493,7 +122493,7 @@ type: ip -- -*`sophosxg.firewall.dst_country_code`*:: +*`sophos.xg.dst_country_code`*:: + -- Code of the country to which the destination IP belongs @@ -122503,7 +122503,7 @@ type: keyword -- -*`sophosxg.firewall.protocol`*:: +*`sophos.xg.protocol`*:: + -- Protocol number of traffic @@ -122513,7 +122513,7 @@ type: keyword -- -*`sophosxg.firewall.src_port`*:: +*`sophos.xg.src_port`*:: + -- Original source port of TCP and UDP traffic @@ -122523,7 +122523,7 @@ type: integer -- -*`sophosxg.firewall.dst_port`*:: +*`sophos.xg.dst_port`*:: + -- Original destination port of TCP and UDP traffic @@ -122533,7 +122533,7 @@ type: integer -- -*`sophosxg.firewall.icmp_type`*:: +*`sophos.xg.icmp_type`*:: + -- ICMP type of ICMP traffic @@ -122543,7 +122543,7 @@ type: keyword -- -*`sophosxg.firewall.icmp_code`*:: +*`sophos.xg.icmp_code`*:: + -- ICMP code of ICMP traffic @@ -122553,7 +122553,7 @@ type: keyword -- -*`sophosxg.firewall.sent_pkts`*:: +*`sophos.xg.sent_pkts`*:: + -- Total number of packets sent @@ -122563,7 +122563,7 @@ type: long -- -*`sophosxg.firewall.received_pkts`*:: +*`sophos.xg.received_pkts`*:: + -- Total number of packets received @@ -122573,7 +122573,7 @@ type: long -- -*`sophosxg.firewall.sent_bytes`*:: +*`sophos.xg.sent_bytes`*:: + -- Total number of bytes sent @@ -122583,7 +122583,7 @@ type: long -- -*`sophosxg.firewall.recv_bytes`*:: +*`sophos.xg.recv_bytes`*:: + -- Total number of bytes received @@ -122593,7 +122593,7 @@ type: long -- -*`sophosxg.firewall.trans_src_ ip`*:: +*`sophos.xg.trans_src_ ip`*:: + -- Translated source IP address for outgoing traffic @@ -122603,7 +122603,7 @@ type: ip -- -*`sophosxg.firewall.trans_src_port`*:: +*`sophos.xg.trans_src_port`*:: + -- Translated source port for outgoing traffic @@ -122613,7 +122613,7 @@ type: integer -- -*`sophosxg.firewall.trans_dst_ip`*:: +*`sophos.xg.trans_dst_ip`*:: + -- Translated destination IP address for outgoing traffic @@ -122623,7 +122623,7 @@ type: ip -- -*`sophosxg.firewall.trans_dst_port`*:: +*`sophos.xg.trans_dst_port`*:: + -- Translated destination port for outgoing traffic @@ -122633,7 +122633,7 @@ type: integer -- -*`sophosxg.firewall.srczonetype`*:: +*`sophos.xg.srczonetype`*:: + -- Type of source zone, e.g., LAN @@ -122643,7 +122643,7 @@ type: keyword -- -*`sophosxg.firewall.srczone`*:: +*`sophos.xg.srczone`*:: + -- Name of source zone @@ -122653,7 +122653,7 @@ type: keyword -- -*`sophosxg.firewall.dstzonetype`*:: +*`sophos.xg.dstzonetype`*:: + -- Type of destination zone, e.g., WAN @@ -122663,7 +122663,7 @@ type: keyword -- -*`sophosxg.firewall.dstzone`*:: +*`sophos.xg.dstzone`*:: + -- Name of destination zone @@ -122673,7 +122673,7 @@ type: keyword -- -*`sophosxg.firewall.dir_disp`*:: +*`sophos.xg.dir_disp`*:: + -- TPacket direction. Possible values:“org”, “reply”, “” @@ -122683,7 +122683,7 @@ type: keyword -- -*`sophosxg.firewall.connevent`*:: +*`sophos.xg.connevent`*:: + -- Event on which this log is generated @@ -122693,7 +122693,7 @@ type: keyword -- -*`sophosxg.firewall.conn_id`*:: +*`sophos.xg.conn_id`*:: + -- Unique identifier of connection @@ -122703,7 +122703,7 @@ type: integer -- -*`sophosxg.firewall.vconn_id`*:: +*`sophos.xg.vconn_id`*:: + -- Connection ID of the master connection @@ -122713,7 +122713,7 @@ type: integer -- -*`sophosxg.firewall.idp_policy_id`*:: +*`sophos.xg.idp_policy_id`*:: + -- IPS policy ID which is applied on the traffic @@ -122723,7 +122723,7 @@ type: integer -- -*`sophosxg.firewall.idp_policy_name`*:: +*`sophos.xg.idp_policy_name`*:: + -- IPS policy name i.e. IPS policy name which is applied on the traffic @@ -122733,7 +122733,7 @@ type: keyword -- -*`sophosxg.firewall.signature_id`*:: +*`sophos.xg.signature_id`*:: + -- Signature ID @@ -122743,7 +122743,7 @@ type: keyword -- -*`sophosxg.firewall.signature_msg`*:: +*`sophos.xg.signature_msg`*:: + -- Signature messsage @@ -122753,7 +122753,7 @@ type: keyword -- -*`sophosxg.firewall.classification`*:: +*`sophos.xg.classification`*:: + -- Signature classification @@ -122763,7 +122763,7 @@ type: keyword -- -*`sophosxg.firewall.rule_priority`*:: +*`sophos.xg.rule_priority`*:: + -- Priority of IPS policy @@ -122773,7 +122773,7 @@ type: keyword -- -*`sophosxg.firewall.platform`*:: +*`sophos.xg.platform`*:: + -- Platform of the traffic. @@ -122783,7 +122783,7 @@ type: keyword -- -*`sophosxg.firewall.category`*:: +*`sophos.xg.category`*:: + -- IPS signature category. @@ -122793,7 +122793,7 @@ type: keyword -- -*`sophosxg.firewall.target`*:: +*`sophos.xg.target`*:: + -- Platform of the traffic. @@ -122803,7 +122803,7 @@ type: keyword -- -*`sophosxg.firewall.eventid`*:: +*`sophos.xg.eventid`*:: + -- ATP Evenet ID @@ -122813,7 +122813,7 @@ type: keyword -- -*`sophosxg.firewall.ep_uuid`*:: +*`sophos.xg.ep_uuid`*:: + -- Endpoint UUID @@ -122823,7 +122823,7 @@ type: keyword -- -*`sophosxg.firewall.threatname`*:: +*`sophos.xg.threatname`*:: + -- ATP threatname @@ -122833,7 +122833,7 @@ type: keyword -- -*`sophosxg.firewall.sourceip`*:: +*`sophos.xg.sourceip`*:: + -- Original source IP address of traffic @@ -122843,7 +122843,7 @@ type: ip -- -*`sophosxg.firewall.destinationip`*:: +*`sophos.xg.destinationip`*:: + -- Original destination IP address of traffic @@ -122853,7 +122853,7 @@ type: ip -- -*`sophosxg.firewall.login_user`*:: +*`sophos.xg.login_user`*:: + -- ATP login user @@ -122863,7 +122863,7 @@ type: keyword -- -*`sophosxg.firewall.eventtype`*:: +*`sophos.xg.eventtype`*:: + -- ATP event type @@ -122873,7 +122873,7 @@ type: keyword -- -*`sophosxg.firewall.execution_path`*:: +*`sophos.xg.execution_path`*:: + -- ATP execution path @@ -122883,7 +122883,7 @@ type: keyword -- -*`sophosxg.firewall.av_policy_name`*:: +*`sophos.xg.av_policy_name`*:: + -- Malware scanning policy name which is applied on the traffic @@ -122893,7 +122893,7 @@ type: keyword -- -*`sophosxg.firewall.from_email_address`*:: +*`sophos.xg.from_email_address`*:: + -- Sender email address @@ -122903,7 +122903,7 @@ type: keyword -- -*`sophosxg.firewall.to_email_address`*:: +*`sophos.xg.to_email_address`*:: + -- Receipeint email address @@ -122913,7 +122913,7 @@ type: keyword -- -*`sophosxg.firewall.subject`*:: +*`sophos.xg.subject`*:: + -- Email subject @@ -122923,7 +122923,7 @@ type: keyword -- -*`sophosxg.firewall.mailsize`*:: +*`sophos.xg.mailsize`*:: + -- mailsize @@ -122933,7 +122933,7 @@ type: integer -- -*`sophosxg.firewall.virus`*:: +*`sophos.xg.virus`*:: + -- virus name @@ -122943,7 +122943,7 @@ type: keyword -- -*`sophosxg.firewall.FTP_url`*:: +*`sophos.xg.FTP_url`*:: + -- FTP URL from which virus was downloaded @@ -122953,7 +122953,7 @@ type: keyword -- -*`sophosxg.firewall.FTP_direction`*:: +*`sophos.xg.FTP_direction`*:: + -- Direction of FTP transfer: Upload or Download @@ -122963,7 +122963,7 @@ type: keyword -- -*`sophosxg.firewall.filesize`*:: +*`sophos.xg.filesize`*:: + -- Size of the file that contained virus @@ -122973,7 +122973,7 @@ type: integer -- -*`sophosxg.firewall.filepath`*:: +*`sophos.xg.filepath`*:: + -- Path of the file containing virus @@ -122983,7 +122983,7 @@ type: keyword -- -*`sophosxg.firewall.filename`*:: +*`sophos.xg.filename`*:: + -- File name associated with the event @@ -122993,7 +122993,7 @@ type: keyword -- -*`sophosxg.firewall.ftpcommand`*:: +*`sophos.xg.ftpcommand`*:: + -- FTP command used when virus was found @@ -123003,7 +123003,7 @@ type: keyword -- -*`sophosxg.firewall.url`*:: +*`sophos.xg.url`*:: + -- URL from which virus was downloaded @@ -123013,7 +123013,7 @@ type: keyword -- -*`sophosxg.firewall.domainname`*:: +*`sophos.xg.domainname`*:: + -- Domain from which virus was downloaded @@ -123023,7 +123023,7 @@ type: keyword -- -*`sophosxg.firewall.quarantine`*:: +*`sophos.xg.quarantine`*:: + -- Path and filename of the file quarantined @@ -123033,7 +123033,7 @@ type: keyword -- -*`sophosxg.firewall.src_domainname`*:: +*`sophos.xg.src_domainname`*:: + -- Sender domain name @@ -123043,7 +123043,7 @@ type: keyword -- -*`sophosxg.firewall.dst_domainname`*:: +*`sophos.xg.dst_domainname`*:: + -- Receiver domain name @@ -123053,7 +123053,7 @@ type: keyword -- -*`sophosxg.firewall.reason`*:: +*`sophos.xg.reason`*:: + -- Reason why the record was detected as spam/malicious @@ -123063,7 +123063,7 @@ type: keyword -- -*`sophosxg.firewall.referer`*:: +*`sophos.xg.referer`*:: + -- Referer @@ -123073,7 +123073,7 @@ type: keyword -- -*`sophosxg.firewall.spamaction`*:: +*`sophos.xg.spamaction`*:: + -- Spam Action @@ -123083,7 +123083,7 @@ type: keyword -- -*`sophosxg.firewall.mailid`*:: +*`sophos.xg.mailid`*:: + -- mailid @@ -123093,7 +123093,7 @@ type: keyword -- -*`sophosxg.firewall.quarantine_reason`*:: +*`sophos.xg.quarantine_reason`*:: + -- Quarantine reason @@ -123103,7 +123103,7 @@ type: keyword -- -*`sophosxg.firewall.status_code`*:: +*`sophos.xg.status_code`*:: + -- Status code @@ -123113,7 +123113,7 @@ type: keyword -- -*`sophosxg.firewall.override_token`*:: +*`sophos.xg.override_token`*:: + -- Override token @@ -123123,7 +123123,7 @@ type: keyword -- -*`sophosxg.firewall.con_id`*:: +*`sophos.xg.con_id`*:: + -- Unique identifier of connection @@ -123133,7 +123133,7 @@ type: integer -- -*`sophosxg.firewall.override_authorizer`*:: +*`sophos.xg.override_authorizer`*:: + -- Override authorizer @@ -123143,7 +123143,7 @@ type: keyword -- -*`sophosxg.firewall.transactionid`*:: +*`sophos.xg.transactionid`*:: + -- Transaction ID of the AV scan. @@ -123153,7 +123153,7 @@ type: keyword -- -*`sophosxg.firewall.upload_file_type`*:: +*`sophos.xg.upload_file_type`*:: + -- Upload file type @@ -123163,7 +123163,7 @@ type: keyword -- -*`sophosxg.firewall.upload_file_name`*:: +*`sophos.xg.upload_file_name`*:: + -- Upload file name @@ -123173,7 +123173,7 @@ type: keyword -- -*`sophosxg.firewall.httpresponsecode`*:: +*`sophos.xg.httpresponsecode`*:: + -- code of HTTP response @@ -123183,7 +123183,7 @@ type: long -- -*`sophosxg.firewall.user_gp`*:: +*`sophos.xg.user_gp`*:: + -- Group name to which the user belongs. @@ -123193,7 +123193,7 @@ type: keyword -- -*`sophosxg.firewall.category_type`*:: +*`sophos.xg.category_type`*:: + -- Type of category under which website falls @@ -123203,7 +123203,7 @@ type: keyword -- -*`sophosxg.firewall.download_file_type`*:: +*`sophos.xg.download_file_type`*:: + -- Download file type @@ -123213,7 +123213,7 @@ type: keyword -- -*`sophosxg.firewall.exceptions`*:: +*`sophos.xg.exceptions`*:: + -- List of the checks excluded by web exceptions. @@ -123223,7 +123223,7 @@ type: keyword -- -*`sophosxg.firewall.contenttype`*:: +*`sophos.xg.contenttype`*:: + -- Type of the content @@ -123233,7 +123233,7 @@ type: keyword -- -*`sophosxg.firewall.override_name`*:: +*`sophos.xg.override_name`*:: + -- Override name @@ -123243,7 +123243,7 @@ type: keyword -- -*`sophosxg.firewall.activityname`*:: +*`sophos.xg.activityname`*:: + -- Web policy activity that matched and caused the policy result. @@ -123253,7 +123253,7 @@ type: keyword -- -*`sophosxg.firewall.download_file_name`*:: +*`sophos.xg.download_file_name`*:: + -- Download file name @@ -123263,7 +123263,7 @@ type: keyword -- -*`sophosxg.firewall.sha1sum`*:: +*`sophos.xg.sha1sum`*:: + -- SHA1 checksum of the item being analyzed @@ -123273,7 +123273,7 @@ type: keyword -- -*`sophosxg.firewall.message_id`*:: +*`sophos.xg.message_id`*:: + -- Message ID @@ -123283,7 +123283,7 @@ type: keyword -- -*`sophosxg.firewall.connid`*:: +*`sophos.xg.connid`*:: + -- Connection ID @@ -123293,7 +123293,7 @@ type: keyword -- -*`sophosxg.firewall.message`*:: +*`sophos.xg.message`*:: + -- Message @@ -123303,7 +123303,7 @@ type: keyword -- -*`sophosxg.firewall.email_subject`*:: +*`sophos.xg.email_subject`*:: + -- Email Subject @@ -123313,7 +123313,7 @@ type: keyword -- -*`sophosxg.firewall.file_path`*:: +*`sophos.xg.file_path`*:: + -- File path @@ -123323,7 +123323,7 @@ type: keyword -- -*`sophosxg.firewall.dstdomain`*:: +*`sophos.xg.dstdomain`*:: + -- Destination Domain @@ -123333,7 +123333,7 @@ type: keyword -- -*`sophosxg.firewall.file_size`*:: +*`sophos.xg.file_size`*:: + -- File Size @@ -123343,7 +123343,7 @@ type: integer -- -*`sophosxg.firewall.transaction_id`*:: +*`sophos.xg.transaction_id`*:: + -- Transaction ID @@ -123353,7 +123353,7 @@ type: keyword -- -*`sophosxg.firewall.website`*:: +*`sophos.xg.website`*:: + -- Website @@ -123363,7 +123363,7 @@ type: keyword -- -*`sophosxg.firewall.file_name`*:: +*`sophos.xg.file_name`*:: + -- Filename @@ -123373,7 +123373,7 @@ type: keyword -- -*`sophosxg.firewall.context_prefix`*:: +*`sophos.xg.context_prefix`*:: + -- Content Prefix @@ -123383,7 +123383,7 @@ type: keyword -- -*`sophosxg.firewall.site_category`*:: +*`sophos.xg.site_category`*:: + -- Site Category @@ -123393,7 +123393,7 @@ type: keyword -- -*`sophosxg.firewall.context_suffix`*:: +*`sophos.xg.context_suffix`*:: + -- Context Suffix @@ -123403,7 +123403,7 @@ type: keyword -- -*`sophosxg.firewall.dictionary_name`*:: +*`sophos.xg.dictionary_name`*:: + -- Dictionary Name @@ -123413,7 +123413,7 @@ type: keyword -- -*`sophosxg.firewall.action`*:: +*`sophos.xg.action`*:: + -- Event Action @@ -123423,7 +123423,7 @@ type: keyword -- -*`sophosxg.firewall.user`*:: +*`sophos.xg.user`*:: + -- User @@ -123433,17 +123433,17 @@ type: keyword -- -*`sophosxg.firewall.context_match`*:: +*`sophos.xg.context_match`*:: + -- -Context Match +Context Match type: keyword -- -*`sophosxg.firewall.direction`*:: +*`sophos.xg.direction`*:: + -- Direction @@ -123453,7 +123453,7 @@ type: keyword -- -*`sophosxg.firewall.auth_client`*:: +*`sophos.xg.auth_client`*:: + -- Auth Client @@ -123463,7 +123463,7 @@ type: keyword -- -*`sophosxg.firewall.auth_mechanism`*:: +*`sophos.xg.auth_mechanism`*:: + -- Auth mechanism @@ -123473,7 +123473,7 @@ type: keyword -- -*`sophosxg.firewall.connectionname`*:: +*`sophos.xg.connectionname`*:: + -- Connectionname @@ -123483,7 +123483,7 @@ type: keyword -- -*`sophosxg.firewall.remotenetwork`*:: +*`sophos.xg.remotenetwork`*:: + -- remotenetwork @@ -123493,7 +123493,7 @@ type: keyword -- -*`sophosxg.firewall.localgateway`*:: +*`sophos.xg.localgateway`*:: + -- Localgateway @@ -123503,7 +123503,7 @@ type: keyword -- -*`sophosxg.firewall.localnetwork`*:: +*`sophos.xg.localnetwork`*:: + -- Localnetwork @@ -123513,7 +123513,7 @@ type: keyword -- -*`sophosxg.firewall.connectiontype`*:: +*`sophos.xg.connectiontype`*:: + -- Connectiontype @@ -123523,7 +123523,7 @@ type: keyword -- -*`sophosxg.firewall.oldversion`*:: +*`sophos.xg.oldversion`*:: + -- Oldversion @@ -123533,7 +123533,7 @@ type: keyword -- -*`sophosxg.firewall.newversion`*:: +*`sophos.xg.newversion`*:: + -- Newversion @@ -123543,7 +123543,7 @@ type: keyword -- -*`sophosxg.firewall.ipaddress`*:: +*`sophos.xg.ipaddress`*:: + -- Ipaddress @@ -123553,7 +123553,7 @@ type: keyword -- -*`sophosxg.firewall.client_physical_address`*:: +*`sophos.xg.client_physical_address`*:: + -- Client physical address @@ -123563,7 +123563,7 @@ type: keyword -- -*`sophosxg.firewall.client_host_name`*:: +*`sophos.xg.client_host_name`*:: + -- Client host name @@ -123573,7 +123573,7 @@ type: keyword -- -*`sophosxg.firewall.raw_data`*:: +*`sophos.xg.raw_data`*:: + -- Raw data @@ -123583,7 +123583,7 @@ type: keyword -- -*`sophosxg.firewall.Mode`*:: +*`sophos.xg.Mode`*:: + -- Mode @@ -123593,7 +123593,7 @@ type: keyword -- -*`sophosxg.firewall.sessionid`*:: +*`sophos.xg.sessionid`*:: + -- Sessionid @@ -123603,7 +123603,7 @@ type: keyword -- -*`sophosxg.firewall.starttime`*:: +*`sophos.xg.starttime`*:: + -- Starttime @@ -123613,7 +123613,7 @@ type: date -- -*`sophosxg.firewall.remote_ip`*:: +*`sophos.xg.remote_ip`*:: + -- Remote IP @@ -123623,7 +123623,7 @@ type: ip -- -*`sophosxg.firewall.timestamp`*:: +*`sophos.xg.timestamp`*:: + -- timestamp @@ -123633,7 +123633,7 @@ type: date -- -*`sophosxg.firewall.SysLog_SERVER_NAME`*:: +*`sophos.xg.SysLog_SERVER_NAME`*:: + -- SysLog SERVER NAME @@ -123643,7 +123643,7 @@ type: keyword -- -*`sophosxg.firewall.backup_mode`*:: +*`sophos.xg.backup_mode`*:: + -- Backup mode @@ -123653,7 +123653,7 @@ type: keyword -- -*`sophosxg.firewall.source`*:: +*`sophos.xg.source`*:: + -- Source @@ -123663,7 +123663,7 @@ type: keyword -- -*`sophosxg.firewall.server`*:: +*`sophos.xg.server`*:: + -- Server @@ -123673,7 +123673,7 @@ type: keyword -- -*`sophosxg.firewall.host`*:: +*`sophos.xg.host`*:: + -- Host @@ -123683,7 +123683,7 @@ type: keyword -- -*`sophosxg.firewall.responsetime`*:: +*`sophos.xg.responsetime`*:: + -- Responsetime @@ -123693,7 +123693,7 @@ type: long -- -*`sophosxg.firewall.cookie`*:: +*`sophos.xg.cookie`*:: + -- cookie @@ -123703,7 +123703,7 @@ type: keyword -- -*`sophosxg.firewall.querystring`*:: +*`sophos.xg.querystring`*:: + -- querystring @@ -123713,7 +123713,7 @@ type: keyword -- -*`sophosxg.firewall.extra`*:: +*`sophos.xg.extra`*:: + -- extra @@ -123723,7 +123723,7 @@ type: keyword -- -*`sophosxg.firewall.PHPSESSID`*:: +*`sophos.xg.PHPSESSID`*:: + -- PHPSESSID @@ -123733,7 +123733,7 @@ type: keyword -- -*`sophosxg.firewall.start_time`*:: +*`sophos.xg.start_time`*:: + -- Start time @@ -123743,7 +123743,7 @@ type: date -- -*`sophosxg.firewall.eventtime`*:: +*`sophos.xg.eventtime`*:: + -- Event time @@ -123753,7 +123753,7 @@ type: date -- -*`sophosxg.firewall.red_id`*:: +*`sophos.xg.red_id`*:: + -- RED ID @@ -123763,7 +123763,7 @@ type: keyword -- -*`sophosxg.firewall.branch_name`*:: +*`sophos.xg.branch_name`*:: + -- Branch Name @@ -123773,7 +123773,7 @@ type: keyword -- -*`sophosxg.firewall.updatedip`*:: +*`sophos.xg.updatedip`*:: + -- updatedip @@ -123783,7 +123783,7 @@ type: ip -- -*`sophosxg.firewall.idle_cpu`*:: +*`sophos.xg.idle_cpu`*:: + -- idle ## @@ -123793,7 +123793,7 @@ type: float -- -*`sophosxg.firewall.system_cpu`*:: +*`sophos.xg.system_cpu`*:: + -- system @@ -123803,7 +123803,7 @@ type: float -- -*`sophosxg.firewall.user_cpu`*:: +*`sophos.xg.user_cpu`*:: + -- system @@ -123813,7 +123813,7 @@ type: float -- -*`sophosxg.firewall.used`*:: +*`sophos.xg.used`*:: + -- used @@ -123823,7 +123823,7 @@ type: integer -- -*`sophosxg.firewall.unit`*:: +*`sophos.xg.unit`*:: + -- unit @@ -123833,7 +123833,7 @@ type: keyword -- -*`sophosxg.firewall.total_memory`*:: +*`sophos.xg.total_memory`*:: + -- Total Memory @@ -123843,7 +123843,7 @@ type: integer -- -*`sophosxg.firewall.free`*:: +*`sophos.xg.free`*:: + -- free @@ -123853,7 +123853,7 @@ type: integer -- -*`sophosxg.firewall.transmittederrors`*:: +*`sophos.xg.transmittederrors`*:: + -- transmitted errors @@ -123863,7 +123863,7 @@ type: keyword -- -*`sophosxg.firewall.receivederrors`*:: +*`sophos.xg.receivederrors`*:: + -- received errors @@ -123873,7 +123873,7 @@ type: keyword -- -*`sophosxg.firewall.receivedkbits`*:: +*`sophos.xg.receivedkbits`*:: + -- received kbits @@ -123883,7 +123883,7 @@ type: long -- -*`sophosxg.firewall.transmittedkbits`*:: +*`sophos.xg.transmittedkbits`*:: + -- transmitted kbits @@ -123893,7 +123893,7 @@ type: long -- -*`sophosxg.firewall.transmitteddrops`*:: +*`sophos.xg.transmitteddrops`*:: + -- transmitted drops @@ -123903,7 +123903,7 @@ type: long -- -*`sophosxg.firewall.receiveddrops`*:: +*`sophos.xg.receiveddrops`*:: + -- received drops @@ -123913,7 +123913,7 @@ type: long -- -*`sophosxg.firewall.collisions`*:: +*`sophos.xg.collisions`*:: + -- collisions @@ -123923,7 +123923,7 @@ type: long -- -*`sophosxg.firewall.interface`*:: +*`sophos.xg.interface`*:: + -- interface @@ -123933,7 +123933,7 @@ type: keyword -- -*`sophosxg.firewall.Configuration`*:: +*`sophos.xg.Configuration`*:: + -- Configuration @@ -123943,7 +123943,7 @@ type: float -- -*`sophosxg.firewall.Reports`*:: +*`sophos.xg.Reports`*:: + -- Reports @@ -123953,7 +123953,7 @@ type: float -- -*`sophosxg.firewall.Signature`*:: +*`sophos.xg.Signature`*:: + -- Signature @@ -123963,7 +123963,7 @@ type: float -- -*`sophosxg.firewall.Temp`*:: +*`sophos.xg.Temp`*:: + -- Temp @@ -123973,7 +123973,7 @@ type: float -- -*`sophosxg.firewall.users`*:: +*`sophos.xg.users`*:: + -- users @@ -123983,7 +123983,7 @@ type: keyword -- -*`sophosxg.firewall.ssid`*:: +*`sophos.xg.ssid`*:: + -- ssid @@ -123993,7 +123993,7 @@ type: keyword -- -*`sophosxg.firewall.ap`*:: +*`sophos.xg.ap`*:: + -- ap @@ -124003,7 +124003,7 @@ type: keyword -- -*`sophosxg.firewall.clients_conn_ssid`*:: +*`sophos.xg.clients_conn_ssid`*:: + -- clients connection ssid diff --git a/filebeat/docs/modules/sophosxg.asciidoc b/filebeat/docs/modules/sophos.asciidoc similarity index 85% rename from filebeat/docs/modules/sophosxg.asciidoc rename to filebeat/docs/modules/sophos.asciidoc index c276cba4f82..74aacf0df0f 100644 --- a/filebeat/docs/modules/sophosxg.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -2,15 +2,15 @@ This file is generated! See scripts/docs_collector.py //// -[[filebeat-module-sophosxg]] +[[filebeat-module-sophos]] [role="xpack"] -:modulename: sophosxg +:modulename: sophos :has-dashboards: false -== SophosXG module +== Sophos module -This is a module for SophosXG SFOS logs sent in the syslog format. +This is a module for Sophos Products, currently it supports XG SFOS logs sent in the syslog format. To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. @@ -21,27 +21,34 @@ include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. +This module has been tested against SFOS version 17.5.x and 18.0.x. Versions above this are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] -:fileset_ex: firewall +:fileset_ex: xg include::../include/config-option-intro.asciidoc[] [float] -==== `firewall` fileset settings +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname [source,yaml] ---- -- module: sophosxg - firewall: +- module: sophos + xg: enabled: true var.input: udp var.syslog_host: 0.0.0.0 var.syslog_port: 9005 - var.host_name: firewall.localgroup.local + var.default_host_name: firewall.localgroup.local + var.known_devices: + "1234567890123457": "a.host.local" + "1234234590678557": "b.host.local" ---- include::../include/var-paths.asciidoc[] @@ -68,7 +75,7 @@ Default to `firewall.localgroup.local` [float] ==== SophosXG ECS fields -This is a list of FortiOS fields that are mapped to ECS. +This is a list of SophosXG fields that are mapped to ECS. [options="header"] |============================================================== @@ -139,5 +146,5 @@ This is a list of FortiOS fields that are mapped to ECS. === Fields For a description of each field in the module, see the -<> section. +<> section. diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index cf898fde975..f4c8f1d84ba 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -55,7 +55,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> + * <> * <> * <> * <> @@ -121,7 +121,7 @@ include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] include::modules/sonicwall.asciidoc[] -include::modules/sophosxg.asciidoc[] +include::modules/sophos.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index f5d235404bf..4ce72f66813 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1340,9 +1340,9 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local -#------------------------------- Sophosxg Module ------------------------------- -- module: sophosxg - firewall: +#-------------------------------- Sophos Module -------------------------------- +- module: sophos + xg: enabled: true # Set which input to use between tcp, udp (default) or file. @@ -1355,9 +1355,9 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall default hostanme + # firewall default hostname #var.default_host_name: firewall.localgroup.local - + # known firewalls #var.known_devices: # "device1_serialnumber": "a.host.local" diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 6f79780a2e1..3cc9adb51d0 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -49,7 +49,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophosxg" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" diff --git a/x-pack/filebeat/module/sophosxg/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml similarity index 88% rename from x-pack/filebeat/module/sophosxg/_meta/config.yml rename to x-pack/filebeat/module/sophos/_meta/config.yml index 6d605b852e1..c7c5add7422 100644 --- a/x-pack/filebeat/module/sophosxg/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -1,5 +1,5 @@ -- module: sophosxg - firewall: +- module: sophos + xg: enabled: true # Set which input to use between tcp, udp (default) or file. @@ -12,9 +12,9 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall default hostanme + # firewall default hostname #var.default_host_name: firewall.localgroup.local - + # known firewalls #var.known_devices: # "device1_serialnumber": "a.host.local" diff --git a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc similarity index 86% rename from x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc rename to x-pack/filebeat/module/sophos/_meta/docs.asciidoc index 304b2ca88a3..28035328083 100644 --- a/x-pack/filebeat/module/sophosxg/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -1,11 +1,11 @@ [role="xpack"] -:modulename: sophosxg +:modulename: sophos :has-dashboards: false -== SophosXG module +== Sophos module -This is a module for SophosXG SFOS logs sent in the syslog format. +This is a module for Sophos Products, currently it supports XG SFOS logs sent in the syslog format. To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. @@ -16,27 +16,34 @@ include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. +This module has been tested against SFOS version 17.5.x and 18.0.x. Versions above this are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] -:fileset_ex: firewall +:fileset_ex: xg include::../include/config-option-intro.asciidoc[] [float] -==== `firewall` fileset settings +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname [source,yaml] ---- -- module: sophosxg - firewall: +- module: sophos + xg: enabled: true var.input: udp var.syslog_host: 0.0.0.0 var.syslog_port: 9005 - var.host_name: firewall.localgroup.local + var.default_host_name: firewall.localgroup.local + var.known_devices: + "1234567890123457": "a.host.local" + "1234234590678557": "b.host.local" ---- include::../include/var-paths.asciidoc[] @@ -63,7 +70,7 @@ Default to `firewall.localgroup.local` [float] ==== SophosXG ECS fields -This is a list of FortiOS fields that are mapped to ECS. +This is a list of SophosXG fields that are mapped to ECS. [options="header"] |============================================================== diff --git a/x-pack/filebeat/module/sophosxg/_meta/fields.yml b/x-pack/filebeat/module/sophos/_meta/fields.yml similarity index 50% rename from x-pack/filebeat/module/sophosxg/_meta/fields.yml rename to x-pack/filebeat/module/sophos/_meta/fields.yml index 63386abd814..ea0412ba5ca 100644 --- a/x-pack/filebeat/module/sophosxg/_meta/fields.yml +++ b/x-pack/filebeat/module/sophos/_meta/fields.yml @@ -1,9 +1,9 @@ -- key: sophosxg - title: "sophosxg" +- key: sophos + title: "sophos" description: > - sophosxg Module + sophos Module fields: - - name: sophosxg + - name: sophos type: group description: > fields: diff --git a/x-pack/filebeat/module/sophos/fields.go b/x-pack/filebeat/module/sophos/fields.go new file mode 100644 index 00000000000..11b91b9dd6d --- /dev/null +++ b/x-pack/filebeat/module/sophos/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophos + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophos", asset.ModuleFieldsPri, AssetSophos); err != nil { + panic(err) + } +} + +// AssetSophos returns asset data. +// This is the base64 encoded gzipped contents of module/sophos. +func AssetSophos() string { + return "eJzUXMFy4zYSvc9XoJLLpCrj3dmjD1vl2J4dV40nWklOjiwIbJFYgwADgJLl0/zDXpOfmy/ZAkjKpAQKtNRKZj0nUZrXj92N7kY3yHfkETaXxKgyV+YNIZZbAZfku/rCd28IScEwzUvLlbwk/3xDCGl+Te5VWgl4Q8iSg0jNpf/uHZG0gA6i+7ObEi5JplVVNlcCqH2cLtZTtr0UwnJ/GgRQA5dkAZZ2rqewpJWwiYe+JEsqDPS+DtCo/+q7I0ulSUm14TJr7ukpI2ZjhMouOr/fpd6ln8KKM+h91d7GI2zWSqc73x1gVX/dwwvLpDYsMfBFRNwNtUDebjabzbuieJemP5B1DpLYHAisQFqiGKu0hvQwI8sLeFYSUQ9zXgB5m+eXRXFpzJG0amUm7gMes3uVgiCyKhagiVp6UqOsVpPhu+JOoDIDzekxXITKUIk8SP5bBeT9PwjLqabMgjaEqRTI27+/d//e/xAn5OQjOtCmBKeS2l/gIrsgS65hTYWor8UJMVWUSnZ/ejKr6xaSaDClkoYvmjgkVJa5OOSZfmiZ6joIR4iaaoGrvFm18P99q8DDHPJFkgMVNsdj8BGotguglhhLbWUOEyg1V5rbDebSWoFDJAJWIPza0nS55OwwkR2yJ9N4EJYXLkbXwB0e5OuX/5IrIdQaUqI0uQHJo/Gw0tRJCvITSmavTB6VpgsunJY6vN4aYEqmJrLil+vEOfdQGOLSQgb6dYS2y2bqsvvdDVnnnOWEG0LLUnCnqDqJjLJlZUAj5459yGHJu1XQiaL/5eA8PrGqUYxThZNFFuCsH1lknCLSuZMWtARLrhgDY0ipBGcbZ7NjTMVLk9QIqP50N5mdSKwhhRudJzUlH6BbUlaNJ0XLcsmFBX0OnV05QsyHGfLBS2lVeIz+6Ata0uP8f0AYz+BdivHo0dUZbvg6nofm5hGPx5SbxyYxU2N4Jl8WQEj/UXYWWC6VUBliATHfYraF+VHUGLWQKY1IrGtEblwdqsQKUrLYEKdKaisNrqAwG8lyrSR/hvRV3FvExTejzYSbhAlVIe54drR43UMP5yiZuPiklxSzX3DXQvpNBJdMFW4X0cSqH/124kcyUdqSq8P8VGXPT1BVNlNDBH+K1NaaJTxcguxdjpD6WfOMSyqIUZVmQO4mhKapdoXI6Epfs6SgDE9Ru5zur66PIsVUJa3eJG77jblxTaFdeo2Efh35oslRxWRqLLoxUzCWy3pNHmFRR+kvUt4O81EaLLWyiimBWFc2iN2G0livK5UOt0mOqsl214JDd3Tm1xNCZUoebibjbXomal2bHc2Ps6JE3h3cXd9Pts2b+sNoJrhu74WzxvfHMzEgbVI+2nAb5fVtirmyvSZpSdkjWOPlHGaigQFfQfpnsGlljdDNYmPhXHQ89jjVrP4EIuO0YjWVJnFhaD95HJdT5g5RUAtpoEQIFTJjCeIGo32aPhIdSxAxKXeYDaTlU0ieTYt7Qf31LI1mz0rCeaYZjZWdgLZ0/nT1eRQhPDKfabFLJpqFz6eSrsm6evk1ppeGFb5edhlFaHCdpNwg9lbnE59THDIw96MLMlGmHjWtqKjAXH798rvS2dcvf/xIvn75XUMpNu2Hr1/+OEyYKSn7Q6GTGd/WQ125LYm5IUJlbmedgQTt1macFGofsxlp8hSk5UteJyV/6yzec1ih07neSiZ3N+1eoqDGgh7Niqfl+bvkJ41cOgxxO5cdjn4Ewi/gYu/iSdS3vTPMwfps25C7uxkrvjC7ldcpY9AtgQKMMTSLBDMmqDF8id4Bf+ExICFcpFYCEvzZ8KRB9NuarQ8dplIKapdKF4gsGsQ2GDReehExEHo/2WngpXHc4kdoWKozQEwgxynDZzHMczBX84nPZWCjCxbKpKowZd/KtFRcWvLwEJNtcw3UIs+G5pMQbjhY+cLx2+nldgq2b6wnKVTGZVKZvZx8oqU8LunhDq8Q3Lrdia8PZfVww+KfgFV+DlZSzNNFnkOLTXrYQR50dZ6y5J6KNdVADKNSuh0mWjmy1KpIoKBcJI3PISZjkClo4tHJLno44KhzcZmCCyTg4t4r+Jhq8R9gmBsYL3sXNijb/dLw57AXHVWA7yGG9yRcY55M83AjTgF8mE+SSiNOKT7MJ+Rh+sl7eLNGai5rakiq1lIomsa2i47VdnuMx+2mhXQB3hH1Lasl6EvyUDpe/qRewzGygLkAXDeZ8eftFMqhE5tT6zaPlnIJ6Y6DDJLCjcQTavMeqYaPC4YjCeGG5A+OhI+/1BjFuG8LrrnNX06fRyjZkqmioBKxtnOu1IC6pJ3Wx+Ff3H6pKhnxJ9Q1ePL6S1VBucS13I3HPI3XbxXVVFqO2Rb0Lu4s1zprz99fJMZGP5ol51Bbk81r6BEBPTX2LDym9ajnFUw0UIMZvacej6zzjTePBqZ0WrsPWGAuEFBDTEmLvxVUcMZVLDxpWILGrN2nO4BhTylpQZEz26ykBbka0WR0xQjmtnYHL7JqE2yf+PcWetfdwqr3x/SR5+iz+ux/DzQoXa1Aa55CYtUjICrh5waX9HGDHJj6hvrwW4XQyuZK82fMtbjVSgA8vAtyxWC9MBFXyPwFtTMauPrFbyojDbDKF6WJS0TIp1CacreuM6P7/C4P3KzS5RHPKLm1ZfNgFgyu4defbWjPwHyczyftg1+jHgH5k5//GNk7PtOTei08qXxBUlNcw8JwC2RJhYgdKWxqvHO4c7tnG+vQ8MTAg+HtuD9xY7eHCHNgj8ZJEVVan91ew6IjNWZJJS16Y6+1Y33K0QsYGZ1xl/w2Lo94RIFZvuJ2g0vgV1hsHyFpBNR77YJalrsqUqaEUb+Rc8pqfqvBVMJGLNd3cuwNVNfJR7Txc/reVIgjrdnHq/eNb1fbUQ63UJAFcJkRKqnYPMc2SgX4QSXqA873NWZ0quMKE0y5vbH/qNtGv+dIoPNt3TP1U2dj+ql+IeA2pXwPKD4VSI2t96qIS7AzLrrpYw/fPG6b0N/8LNpO7hSzqCutX84e5tAUB6iRuwc4rHP8pmM83vqk+mSTUsOSP6EGGZesyaSPG4753MIZHkqbuRrvehf2oBZMtcTXwpMlsz5ueOVz76BUYw8Eb7bA/jRhvHrB7HXUp/DGNHlwB9IP0TF0a3NfQOGb/L4HO2Dx8w2LIlaubJ4wwVEPXF5VNifXfdBh6QWwnEpuEEs9T2Afd7CoqjWFu9iuw7hBDhoKZUGCXSuN+CRzGDbIQChGRUYtrCli4P0UQh2Wj66ATyHUiBfgbluvw7hBDkqkK9AGNQz8vI8ZlC1hjS778z5mUDYv0Q9u3O1Bhq3uY1RS5hvDGT3DAZI6CJJWwLjzIw2rXBmLXAA0dBzymAkYXScp7b0U70T5U7omPcSg3HvU+cZ9dLBhwBjcrjmZ7UGGJVuqreUDJn79C/dme3gH0g3Ww1hTj0buJoeFOlrG0iIs9PX3uo8XFDvbmE8qS2a3019up8nnq/tbRCt7bFJjkx52kMuCsseqTApU//7Jg5Ii7ub+BCvi3ffxBpaWXmEW87M+XlCmi254Ej920QZWUz1yGVzHrx/pTEOQA3WLeuSIRt3BC8r8rQK9MVbzvds6QXAINCgdnqxGTEl9uKDEycfJ7HY26/SLTpa6DzmcHxLsBEHiblWfzMaTW2/+x2SmFLXfN729ifb5FppKliNXWj950BFtlqp02kyRcvE+WrjiTgUkrKyCMpdC0d0AGhHr8Mj330eceWMsFJhia8SIfg3ov0Am4hmVHlpYnuSIGa+HFi7llKUiKaAY6tIe96C8f0fDfR81KH+pAXEk0UML36+m0hTcWkhBa6URN4gdaLKDPRAg61dWYPNocV9F4nHB0d5csiXQB43ZA5NC1xavY5FqVZ6DRR/3oC0wKWxtMUI+U0JwM3gW5ZjjTHuA4RyG/za5fcig5Gsllzw79LbjI/JKGDQon0yhVHrA7Y8QvYcXlLp9SBpL7D5gUO4cBloGR4jsYQ2WC4hhtQ8XLosMZsHbQwvKw3zPMo1os+5kmsS/sAL3RhvoTuO+vvf/BQAA//8gM69j" +} diff --git a/x-pack/filebeat/module/sophosxg/module.yml b/x-pack/filebeat/module/sophos/module.yml similarity index 100% rename from x-pack/filebeat/module/sophosxg/module.yml rename to x-pack/filebeat/module/sophos/module.yml diff --git a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml similarity index 98% rename from x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml rename to x-pack/filebeat/module/sophos/xg/_meta/fields.yml index 69d2796ca57..efb17a6a7b8 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: firewall +- name: xg type: group release: beta default_field: false @@ -9,7 +9,7 @@ type: keyword description: > device - + - name: date type: date description: > @@ -19,12 +19,12 @@ type: keyword description: > Time (hh:mm:ss) when the event occurred - + - name: device_name type: keyword description: > Model number of the device - + - name: device_id type: keyword description: > @@ -34,17 +34,17 @@ type: keyword description: > Unique 12 characters code (0101011) - + - name: log_type type: keyword description: > Type of event e.g. firewall event - + - name: log_component type: keyword description: > Component responsible for logging e.g. Firewall rule - + - name: log_subtype type: keyword description: > @@ -59,7 +59,7 @@ type: keyword description: > Severity level of traffic - + - name: status type: keyword description: > @@ -69,17 +69,17 @@ type: long description: > Durability of traffic (seconds) - + - name: fw_rule_id type: integer description: > Firewall Rule ID which is applied on the traffic - + - name: user_name type: keyword description: > user_name - + - name: user_group type: keyword description: > @@ -124,7 +124,7 @@ type: keyword description: > Risk level assigned to the application - + - name: application_technology type: keyword description: > @@ -154,7 +154,7 @@ type: keyword description: > Interface for outgoing traffic, e.g., Port B - + - name: src_ip type: ip description: > @@ -164,17 +164,17 @@ type: keyword description: > Original source MAC address of traffic - + - name: src_country_code type: keyword description: > Code of the country to which the source IP belongs - + - name: dst_ip type: ip description: > Original destination IP address of traffic - + - name: dst_country_code type: keyword description: > @@ -194,7 +194,7 @@ type: integer description: > Original destination port of TCP and UDP traffic - + - name: icmp_type type: keyword description: > @@ -204,17 +204,17 @@ type: keyword description: > ICMP code of ICMP traffic - + - name: sent_pkts type: long description: > Total number of packets sent - + - name: received_pkts type: long description: > Total number of packets received - + - name: sent_bytes type: long description: > @@ -234,7 +234,7 @@ type: integer description: > Translated source port for outgoing traffic - + - name: trans_dst_ip type: ip description: > @@ -244,17 +244,17 @@ type: integer description: > Translated destination port for outgoing traffic - + - name: srczonetype type: keyword description: > Type of source zone, e.g., LAN - + - name: srczone type: keyword description: > Name of source zone - + - name: dstzonetype type: keyword description: > @@ -269,12 +269,12 @@ type: keyword description: > TPacket direction. Possible values:“org”, “reply”, “” - + - name: connevent type: keyword description: > Event on which this log is generated - + - name: conn_id type: integer description: > @@ -289,7 +289,7 @@ type: integer description: > IPS policy ID which is applied on the traffic - + - name: idp_policy_name type: keyword description: > @@ -304,12 +304,12 @@ type: keyword description: > Signature messsage - + - name: classification type: keyword description: > Signature classification - + - name: rule_priority type: keyword description: > @@ -334,12 +334,12 @@ type: keyword description: > ATP Evenet ID - + - name: ep_uuid type: keyword description: > Endpoint UUID - + - name: threatname type: keyword description: > @@ -374,12 +374,12 @@ type: keyword description: > Malware scanning policy name which is applied on the traffic - + - name: from_email_address type: keyword description: > Sender email address - + - name: to_email_address type: keyword description: > @@ -414,7 +414,7 @@ type: integer description: > Size of the file that contained virus - + - name: filepath type: keyword description: > @@ -424,7 +424,7 @@ type: keyword description: > File name associated with the event - + - name: ftpcommand type: keyword description: > @@ -484,12 +484,12 @@ type: keyword description: > Status code - + - name: override_token type: keyword description: > Override token - + - name: con_id type: integer description: > @@ -648,7 +648,7 @@ - name: context_match type: keyword description: > - Context Match + Context Match - name: direction type: keyword @@ -669,7 +669,7 @@ type: keyword description: > Connectionname - + - name: remotenetwork type: keyword description: > @@ -934,4 +934,3 @@ type: keyword description: > clients connection ssid - \ No newline at end of file diff --git a/x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/config/firewall.yml rename to x-pack/filebeat/module/sophos/xg/config/config.yml diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml similarity index 82% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml rename to x-pack/filebeat/module/sophos/xg/ingest/antispam.yml index 63d984d868c..dc58149d7c7 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antispam.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml @@ -8,7 +8,7 @@ processors: value: event - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" + value: "{{sophos.xg.log_subtype}}" ignore_empty_value: true - set: field: event.outcome @@ -17,15 +17,15 @@ processors: - set: field: event.kind value: alert - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.category value: malware - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.category value: intrusion_detection - if: "ctx.sophosxg?.firewall?.message_id == '13012'" + if: "ctx.sophos?.xg?.message_id == '13012'" - append: field: event.category value: network @@ -34,34 +34,34 @@ processors: value: - allowed - connection - if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.type value: - info - denied - connection - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip value: '{{destination.ip}}' ignore_empty_value: true - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -72,12 +72,12 @@ processors: ignore_failure: true ignore_missing: true - convert: - field: sophosxg.firewall.recv_bytes + field: sophos.xg.recv_bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.recv_bytes != null" + if: "ctx.sophos?.xg?.recv_bytes != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -89,7 +89,7 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - rename: - field: sophosxg.firewall.to_email_address + field: sophos.xg.to_email_address target_field: destination.user.email ignore_missing: true @@ -97,7 +97,7 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - set: @@ -105,12 +105,12 @@ processors: value: '{{source.ip}}' ignore_empty_value: true - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -121,12 +121,12 @@ processors: ignore_failure: true ignore_missing: true - convert: - field: sophosxg.firewall.sent_bytes + field: sophos.xg.sent_bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.sent_bytes != null" + if: "ctx.sophos?.xg?.sent_bytes != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -138,11 +138,11 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - rename: - field: sophosxg.firewall.from_email_address + field: sophos.xg.from_email_address target_field: source.user.email ignore_missing: true - rename: - field: sophosxg.firewall.src_domainname + field: sophos.xg.src_domainname target_field: source.domain ignore_missing: true @@ -150,7 +150,7 @@ processors: ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - geoip: @@ -229,12 +229,12 @@ processors: ############# - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.recv_bytes - - sophosxg.firewall.src_port - - sophosxg.firewall.sent_bytes + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml similarity index 71% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml rename to x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml index 54747b7a89c..bb2548bf941 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/antivirus.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml @@ -8,41 +8,41 @@ processors: value: alert - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - append: field: event.category value: - malware - network - if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" - append: field: event.type value: - info - denied - connection - if: "ctx.sophosxg?.firewall?.log_subtype == 'Virus'" + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" - set: field: event.kind value: event - if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.type value: - allowed - connection - if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.category value: network - if: '["09002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" @@ -51,21 +51,21 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -78,12 +78,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: sophosxg.firewall.recv_bytes + field: sophos.xg.recv_bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.recv_bytes != null" + if: "ctx.sophos?.xg?.recv_bytes != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -96,30 +96,30 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - rename: - field: sophosxg.firewall.to_email_address + field: sophos.xg.to_email_address target_field: destination.user.email ignore_missing: true - if: "ctx.sophosxg?.firewall?.to_email_address != null" + if: "ctx.sophos?.xg?.to_email_address != null" ############################### ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -132,12 +132,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: sophosxg.firewall.sent_bytes + field: sophos.xg.sent_bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.sent_bytes != null" + if: "ctx.sophos?.xg?.sent_bytes != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -150,21 +150,21 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" - rename: - field: sophosxg.firewall.from_email_address + field: sophos.xg.from_email_address target_field: source.user.email ignore_missing: true - if: "ctx.sophosxg?.firewall?.from_email_address != null" + if: "ctx.sophos?.xg?.from_email_address != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: sophosxg.firewall.fw_rule_id + field: sophos.xg.fw_rule_id target_field: rule.id ignore_missing: true if: "ctx.rule?.id == null" @@ -173,71 +173,71 @@ processors: ## ECS URL Mapping ## ##################### - rename: - field: sophosxg.firewall.url + field: sophos.xg.url target_field: url.original ignore_missing: true - if: "ctx.sophosxg?.firewall?.url != null" + if: "ctx.sophos?.xg?.url != null" - rename: - field: sophosxg.firewall.domainname + field: sophos.xg.domainname target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.domainname != null" + if: "ctx.sophos?.xg?.domainname != null" - rename: - field: sophosxg.firewall.dst_domainname + field: sophos.xg.dst_domainname target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_domainname != null && ctx?.url?.domain == null" + if: "ctx.sophos?.xg?.dst_domainname != null && ctx?.url?.domain == null" - rename: - field: sophosxg.firewall.src_domainname + field: sophos.xg.src_domainname target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_domainname != null" + if: "ctx.sophos?.xg?.src_domainname != null" ############################ ## ECS User Agent Mapping ## ############################ - rename: - field: sophosxg.firewall.user_agent + field: sophos.xg.user_agent target_field: user_agent.original ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_agent != null" + if: "ctx.sophos?.xg?.user_agent != null" - convert: - field: sophosxg.firewall.status_code + field: sophos.xg.status_code target_field: http.response.status_code type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.status_code != null" + if: "ctx.sophos?.xg?.status_code != null" ###################### ## ECS File Mapping ## ###################### - rename: - field: sophosxg.firewall.filename + field: sophos.xg.filename target_field: file.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.filename != null" + if: "ctx.sophos?.xg?.filename != null" - convert: - field: sophosxg.firewall.file_size + field: sophos.xg.file_size target_field: file.size type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.file_size != null" + if: "ctx.sophos?.xg?.file_size != null" - rename: - field: sophosxg.firewall.file_path + field: sophos.xg.file_path target_field: file.directory ignore_missing: true - if: "ctx.sophosxg?.firewall?.file_path != null" + if: "ctx.sophos?.xg?.file_path != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" + if: "ctx.sophos?.xg?.protocol != null" - geoip: field: source.ip target_field: source.geo @@ -333,14 +333,14 @@ processors: ignore_failure: true - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.src_port - - sophosxg.firewall.recv_bytes - - sophosxg.firewall.sent_bytes - - sophosxg.firewall.status_code - - sophosxg.firewall.file_size + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.status_code + - sophos.xg.file_size ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml similarity index 81% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml rename to x-pack/filebeat/module/sophos/xg/ingest/atp.yml index 0083725aec9..df6ed8b35ca 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/atp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml @@ -8,54 +8,54 @@ processors: value: alert - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - append: field: event.category value: - intrusion_detection - network - if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.type value: - denied - connection - if: '["18009", "18010"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" - rename: - field: sophosxg.firewall.eventid + field: sophos.xg.eventid target_field: event.id ignore_missing: true - if: "ctx.sophosxg?.firewall?.eventid != null" + if: "ctx.sophos?.xg?.eventid != null" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.destinationip + field: sophos.xg.destinationip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.destinationip != null" + if: "ctx.sophos?.xg?.destinationip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -72,30 +72,30 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.sourceip + field: sophos.xg.sourceip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.sourceip != null" + if: "ctx.sophos?.xg?.sourceip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -108,7 +108,7 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true @@ -116,19 +116,19 @@ processors: ## ECS URL Mapping ## ##################### - rename: - field: sophosxg.firewall.url + field: sophos.xg.url target_field: url.original ignore_missing: true - if: "ctx.sophosxg?.firewall?.url != null" + if: "ctx.sophos?.xg?.url != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" + if: "ctx.sophos?.xg?.protocol != null" - geoip: field: source.ip target_field: source.geo @@ -233,8 +233,8 @@ processors: ignore_failure: true - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.src_port + - sophos.xg.dst_port + - sophos.xg.src_port ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml similarity index 75% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml rename to x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml index 634e8deb11b..a9dedb4070f 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/cfilter.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml @@ -8,41 +8,41 @@ processors: value: event - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.kind value: alert - if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' - append: field: event.category value: - malware - network - if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' - append: field: event.category value: network - if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" - append: field: event.type value: - allowed - connection - if: '["Allowed", "Warned"].contains(ctx.sophosxg?.firewall?.log_subtype)' + if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' - append: field: event.type value: - info - denied - connection - if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" @@ -51,21 +51,21 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -82,21 +82,21 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -109,57 +109,57 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" - rename: - field: sophosxg.firewall.user_gp + field: sophos.xg.user_gp target_field: source.user.group.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_gp != null" + if: "ctx.sophos?.xg?.user_gp != null" ##################### ## ECS URL Mapping ## ##################### - rename: - field: sophosxg.firewall.url + field: sophos.xg.url target_field: url.full ignore_missing: true - if: "ctx.sophosxg?.firewall?.url != null" + if: "ctx.sophos?.xg?.url != null" - rename: - field: sophosxg.firewall.domain + field: sophos.xg.domain target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.domain != null" + if: "ctx.sophos?.xg?.domain != null" ############################ ## ECS User Agent Mapping ## ############################ - rename: - field: sophosxg.firewall.referer + field: sophos.xg.referer target_field: http.request.referrer ignore_missing: true - if: "ctx.sophosxg?.firewall?.referer != null" + if: "ctx.sophos?.xg?.referer != null" - rename: - field: sophosxg.firewall.status_code + field: sophos.xg.status_code target_field: http.response.status_code ignore_missing: true - if: "ctx.sophosxg?.firewall?.status_code != null" + if: "ctx.sophos?.xg?.status_code != null" - rename: - field: sophosxg.firewall.user_agent + field: sophos.xg.user_agent target_field: user_agent.original ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_agent != null" + if: "ctx.sophos?.xg?.user_agent != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" + if: "ctx.sophos?.xg?.protocol != null" - geoip: field: source.ip target_field: source.geo @@ -261,10 +261,10 @@ processors: ignore_failure: true - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.src_port - - sophosxg.firewall.recv_bytes - - sophosxg.firewall.sent_bytes + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml b/x-pack/filebeat/module/sophos/xg/ingest/event.yml similarity index 72% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml rename to x-pack/filebeat/module/sophos/xg/ingest/event.yml index d172166967d..2565434a6f0 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/event.yml @@ -9,55 +9,55 @@ processors: - set: field: event.outcome value: success - if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Successful"' + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Successful"' - set: field: event.outcome value: failure - if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication" && ctx?.sophosxg?.firewall?.status == "Failed"' + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Failed"' - set: field: event.outcome value: success - if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Successful" && ctx?.sophosxg?.firewall?.message_id == "17507"' + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Successful" && ctx?.sophos?.xg?.message_id == "17507"' - set: field: event.outcome value: failure - if: 'ctx?.sophosxg?.firewall?.log_subtype == "Admin" && ctx?.sophosxg?.firewall?.status == "Failed" && ctx?.sophosxg?.firewall?.message_id == "17507"' + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Failed" && ctx?.sophos?.xg?.message_id == "17507"' - append: field: event.type value: - user - start - if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophosxg?.firewall?.message_id)" + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophos?.xg?.message_id)" - append: field: event.type value: - user - end - if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophosxg?.firewall?.message_id)" + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophos?.xg?.message_id)" - append: field: event.type value: connection - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" - append: field: event.category value: network - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophosxg?.firewall?.auth_client)" + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" - append: field: event.category value: authentication - if: 'ctx?.sophosxg?.firewall?.log_subtype == "Authentication"' + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication"' - append: field: event.type value: info - if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' + if: 'ctx?.sophos?.xg?.message_id == "17819"' - append: field: event.category value: - host - malware - if: 'ctx?.sophosxg?.firewall?.message_id == "17819"' + if: 'ctx?.sophos?.xg?.message_id == "17819"' - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" @@ -66,26 +66,26 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - rename: - field: sophosxg.firewall.localinterfaceip + field: sophos.xg.localinterfaceip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.localinterfaceip != null" + if: "ctx.sophos?.xg?.localinterfaceip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.recv_bytes + field: sophos.xg.recv_bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.recv_bytes != null" + if: "ctx.sophos?.xg?.recv_bytes != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -102,35 +102,35 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - rename: - field: sophosxg.firewall.remoteinterfaceip + field: sophos.xg.remoteinterfaceip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.remoteinterfaceip != null" + if: "ctx.sophos?.xg?.remoteinterfaceip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: sophosxg.firewall.src_mac + field: sophos.xg.src_mac target_field: source.mac ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_mac != null" + if: "ctx.sophos?.xg?.src_mac != null" - set: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" - convert: - field: sophosxg.firewall.sent_bytes + field: sophos.xg.sent_bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.sent_bytes != null" + if: "ctx.sophos?.xg?.sent_bytes != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -143,25 +143,25 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" - set: field: source.user.name - value: '{{sophosxg.firewall.name}}' - if: "ctx.sophosxg?.firewall?.name != null" + value: '{{sophos.xg.name}}' + if: "ctx.sophos?.xg?.name != null" - rename: - field: sophosxg.firewall.usergroupname + field: sophos.xg.usergroupname target_field: source.user.group.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.usergroupname != null" + if: "ctx.sophos?.xg?.usergroupname != null" ######################### ## ECS Message Mapping ## ######################### - rename: - field: sophosxg.firewall.message + field: sophos.xg.message target_field: message ignore_missing: true @@ -260,11 +260,11 @@ processors: ############# - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.recv_bytes - - sophosxg.firewall.src_port - - sophosxg.firewall.sent_bytes - - sophosxg.firewall.name + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes + - sophos.xg.name ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml similarity index 77% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml rename to x-pack/filebeat/module/sophos/xg/ingest/firewall.yml index fb82e326a77..193af05b836 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -8,45 +8,45 @@ processors: value: event - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.kind value: alert - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.category value: intrusion_detection - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.category value: network - append: field: event.type - value: + value: - start - allowed - connection - if: "['Start', 'Interim'].contains(ctx.sophosxg?.firewall?.connevent)" + if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" - append: field: event.type - value: + value: - end - allowed - connection - if: "ctx.sophosxg?.firewall?.connevent == 'Stop'" + if: "ctx.sophos?.xg?.connevent == 'Stop'" - append: field: event.type value: - denied - connection - if: "ctx.sophosxg?.firewall?.status == 'Deny'" + if: "ctx.sophos?.xg?.status == 'Deny'" - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" @@ -55,31 +55,31 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: sophosxg.firewall.tran_dst_ip + field: sophos.xg.tran_dst_ip target_field: destination.nat.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.tran_dst_ip != null" + if: "ctx.sophos?.xg?.tran_dst_ip != null" - rename: - field: sophosxg.firewall.destinationip + field: sophos.xg.destinationip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.destinationip !=null" + if: "ctx.sophos?.xg?.destinationip !=null" - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -92,12 +92,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: sophosxg.firewall.tran_dst_port + field: sophos.xg.tran_dst_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.tran_dst_port != null" + if: "ctx.sophos?.xg?.tran_dst_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -110,21 +110,21 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - rename: - field: sophosxg.firewall.dst_mac + field: sophos.xg.dst_mac target_field: destination.mac ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_mac != null" + if: "ctx.sophos?.xg?.dst_mac != null" - set: field: server.mac value: '{{destination.mac}}' if: "ctx.destination?.mac != null" - convert: - field: sophosxg.firewall.recv_bytes + field: sophos.xg.recv_bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.recv_bytes != null" + if: "ctx.sophos?.xg?.recv_bytes != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -137,12 +137,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: sophosxg.firewall.recv_pkts + field: sophos.xg.recv_pkts target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.recv_pkts !=null" + if: "ctx.sophos?.xg?.recv_pkts !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -159,31 +159,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: sophosxg.firewall.tran_src_ip + field: sophos.xg.tran_src_ip target_field: source.nat.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.tran_src_ip != null" + if: "ctx.sophos?.xg?.tran_src_ip != null" - rename: - field: sophosxg.firewall.sourceip + field: sophos.xg.sourceip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.sourceip != null" + if: "ctx.sophos?.xg?.sourceip != null" - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -196,12 +196,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: sophosxg.firewall.tran_src_port + field: sophos.xg.tran_src_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.tran_src_port != null" + if: "ctx.sophos?.xg?.tran_src_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -212,23 +212,23 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - rename: - field: sophosxg.firewall.src_mac + field: sophos.xg.src_mac target_field: source.mac ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_mac != null" + if: "ctx.sophos?.xg?.src_mac != null" - set: field: client.mac value: '{{source.mac}}' if: "ctx.source?.mac != null" - convert: - field: sophosxg.firewall.sent_bytes + field: sophos.xg.sent_bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.sent_bytes != null" + if: "ctx.sophos?.xg?.sent_bytes != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -241,14 +241,14 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - trim: - field: sophosxg.firewall.sent_pkts + field: sophos.xg.sent_pkts - convert: - field: sophosxg.firewall.sent_pkts + field: sophos.xg.sent_pkts target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.sent_pkts != null" + if: "ctx.sophos?.xg?.sent_pkts != null" - set: field: client.packets value: '{{source.packets}}' @@ -261,43 +261,43 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" - rename: - field: sophosxg.firewall.user_gp + field: sophos.xg.user_gp target_field: source.user.group.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_gp != null" + if: "ctx.sophos?.xg?.user_gp != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: sophosxg.firewall.fw_rule_id + field: sophos.xg.fw_rule_id target_field: rule.id ignore_missing: true if: "ctx.rule?.id == null" - rename: - field: sophosxg.firewall.policy_type + field: sophos.xg.policy_type target_field: rule.ruleset ignore_missing: true - if: "ctx.sophosxg?.firewall?.policy_type != null" + if: "ctx.sophos?.xg?.policy_type != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.application + field: sophos.xg.application target_field: network.protocol ignore_missing: true - if: "ctx.sophosxg?.firewall?.application != null" + if: "ctx.sophos?.xg?.application != null" - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" + if: "ctx.sophos?.xg?.protocol != null" - geoip: field: source.ip target_field: source.geo @@ -429,14 +429,14 @@ processors: ignore_failure: true - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.tran_dst_port - - sophosxg.firewall.recv_bytes - - sophosxg.firewall.recv_pkts - - sophosxg.firewall.src_port - - sophosxg.firewall.tran_src_port - - sophosxg.firewall.sent_bytes - - sophosxg.firewall.sent_pkts + - sophos.xg.dst_port + - sophos.xg.tran_dst_port + - sophos.xg.recv_bytes + - sophos.xg.recv_pkts + - sophos.xg.src_port + - sophos.xg.tran_src_port + - sophos.xg.sent_bytes + - sophos.xg.sent_pkts ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml similarity index 80% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml rename to x-pack/filebeat/module/sophos/xg/ingest/idp.yml index dbbc4b424ae..f10f964eb13 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/idp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml @@ -8,49 +8,49 @@ processors: value: alert - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - append: field: event.category value: - intrusion_detection - network - if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' - append: field: event.type value: - denied - connection - if: '["06001", "06002", "07001", "07002"].contains(ctx.sophosxg?.firewall?.message_id)' + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true - if: "ctx.sophosxg?.firewall?.log_id != null" + if: "ctx.sophos?.xg?.log_id != null" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.dst_ip + field: sophos.xg.dst_ip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_ip != null" + if: "ctx.sophos?.xg?.dst_ip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.dst_port + field: sophos.xg.dst_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.dst_port != null" + if: "ctx.sophos?.xg?.dst_port != null" - set: field: server.port value: '{{destination.port}}' @@ -67,21 +67,21 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - convert: - field: sophosxg.firewall.src_port + field: sophos.xg.src_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_port != null" + if: "ctx.sophos?.xg?.src_port != null" - set: field: client.port value: '{{source.port}}' @@ -94,38 +94,38 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: sophosxg.firewall.signature_id + field: sophos.xg.signature_id target_field: rule.id ignore_missing: true - if: "ctx.sophosxg?.firewall?.signature_id != null" + if: "ctx.sophos?.xg?.signature_id != null" - rename: - field: sophosxg.firewall.signature_msg + field: sophos.xg.signature_msg target_field: rule.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.signature_msg != null" + if: "ctx.sophos?.xg?.signature_msg != null" - rename: - field: sophosxg.firewall.classification + field: sophos.xg.classification target_field: rule.category ignore_missing: true - if: "ctx.sophosxg?.firewall?.classification != null" + if: "ctx.sophos?.xg?.classification != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: sophosxg.firewall.protocol + field: sophos.xg.protocol target_field: network.transport ignore_missing: true - if: "ctx.sophosxg?.firewall?.protocol != null" + if: "ctx.sophos?.xg?.protocol != null" - geoip: field: source.ip target_field: source.geo @@ -229,8 +229,8 @@ processors: ignore_failure: true - remove: field: - - sophosxg.firewall.dst_port - - sophosxg.firewall.src_port + - sophos.xg.dst_port + - sophos.xg.src_port ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml similarity index 73% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml rename to x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml index b3cc5ccbae1..f408b6f01cd 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -16,7 +16,7 @@ processors: field: log.original field_split: " (?=[a-z0-9\\_\\-]+=)" value_split: "=" - prefix: "sophosxg.firewall." + prefix: "sophos.xg." ignore_missing: true ignore_failure: false trim_value: "\"" @@ -24,7 +24,7 @@ processors: # Parse the date - set: field: _temp_.time - value: "{{sophosxg.firewall.date}} {{sophosxg.firewall.time}}" + value: "{{sophos.xg.date}} {{sophos.xg.time}}" - date: if: "ctx.event.timezone == null" field: _temp_.time @@ -48,9 +48,9 @@ processors: # Sets starts, end and duration when start and duration is known - script: lang: painless - if: ctx?.soposxg?.firewall?.duration != null + if: ctx?.sophos?.xg?.duration != null source: >- - ctx.event.duration = Integer.parseInt(ctx.sophosxg.firewall.duration) * 1000000000L; + ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; ctx.event.start = ctx['@timestamp']; ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); @@ -64,20 +64,20 @@ processors: - "-" - "N/A" source: >- - ctx?.sophosxg?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + ctx?.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); ####################### ## ECS Event Mapping ## ####################### - set: field: event.module - value: sophosxg + value: sophos - set: field: event.dataset - value: sophosxg.firewall + value: sophos.xg - set: field: event.severity - value: "{{sophosxg.firewall.log_id}}" + value: "{{sophos.xg.log_id}}" - rename: field: log.original target_field: event.original @@ -91,7 +91,7 @@ processors: - gsub: field: event.severity pattern: "(.{1,5}$)" - replacement: "" + replacement: "" ##################### ## ECS Log Mapping ## @@ -142,38 +142,38 @@ processors: field: observer.type value: firewall - rename: - field: sophosxg.firewall.device_id + field: sophos.xg.device_id target_field: observer.serial_number ignore_missing: true - rename: - field: sophosxg.firewall.out_interface + field: sophos.xg.out_interface target_field: observer.egress.interface.name ignore_missing: true - rename: - field: sophosxg.firewall.in_interface + field: sophos.xg.in_interface target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: sophosxg.firewall.srczonetype + field: sophos.xg.srczonetype target_field: observer.ingress.zone ignore_missing: true - rename: - field: sophosxg.firewall.dstzonetype + field: sophos.xg.dstzonetype target_field: observer.egress.zone ignore_missing: true -# extract from log_id the new field "sophosxg.firewall.message_id" +# extract from log_id the new field "sophos.xg.message_id" - set: - field: sophosxg.firewall.message_id - value: "{{sophosxg.firewall.log_id}}" + field: sophos.xg.message_id + value: "{{sophos.xg.log_id}}" ignore_empty_value: true - gsub: - field: sophosxg.firewall.message_id + field: sophos.xg.message_id pattern: "(^.{1,7})" replacement: "" ignore_failure: true - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true @@ -204,13 +204,13 @@ processors: - message - _temp_ - _conf - - sophosxg.firewall.date - - sophosxg.firewall.time - - sophosxg.firewall.duration - - sophosxg.firewall.timezone - - sophosxg.firewall.dir_disp - - sophosxg.firewall.srczone - - sophosxg.firewall.dstzone + - sophos.xg.date + - sophos.xg.time + - sophos.xg.duration + - sophos.xg.timezone + - sophos.xg.dir_disp + - sophos.xg.srczone + - sophos.xg.dstzone - syslog5424_pri ignore_missing: true @@ -219,37 +219,37 @@ processors: ############################### - pipeline: name: '{< IngestPipeline "firewall" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Firewall'" + if: "ctx.sophos?.xg?.log_type == 'Firewall'" - pipeline: name: '{< IngestPipeline "idp" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'IDP'" + if: "ctx.sophos?.xg?.log_type == 'IDP'" - pipeline: name: '{< IngestPipeline "atp" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'ATP'" + if: "ctx.sophos?.xg?.log_type == 'ATP'" - pipeline: name: '{< IngestPipeline "antivirus" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Virus'" + if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" - pipeline: name: '{< IngestPipeline "sandstorm" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Sandbox'" + if: "ctx.sophos?.xg?.log_type == 'Sandbox'" - pipeline: name: '{< IngestPipeline "cfilter" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Content Filtering'" + if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" - pipeline: name: '{< IngestPipeline "event" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Event'" + if: "ctx.sophos?.xg?.log_type == 'Event'" - pipeline: name: '{< IngestPipeline "waf" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'WAF'" + if: "ctx.sophos?.xg?.log_type == 'WAF'" - pipeline: name: '{< IngestPipeline "antispam" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Anti-Spam'" + if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" - pipeline: name: '{< IngestPipeline "systemhealth" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'System Health'" + if: "ctx.sophos?.xg?.log_type == 'System Health'" - pipeline: name: '{< IngestPipeline "wifi" >}' - if: "ctx.sophosxg?.firewall?.log_type == 'Wireless Protection'" + if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" on_failure: - set: diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml similarity index 62% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml rename to x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml index b92da564ae1..dce06fd1776 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml @@ -8,50 +8,50 @@ processors: value: event - set: field: event.action - value: "{{sophosxg.firewall.log_subtype}}" - if: "ctx.sophosxg?.firewall?.log_subtype != null" + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.log_subtype != null" + if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.kind value: alert - if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' - append: field: event.category value: - malware - network - if: 'ctx.sophosxg?.firewall?.log_subtype == "Denied"' + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' - append: field: event.category value: network - if: "ctx.sophosxg?.firewall?.log_subtype != 'Denied'" + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" - append: field: event.type value: allowed - if: "['Allowed'].contains(ctx.sophosxg?.firewall?.log_subtype)" + if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" - append: field: event.type - value: + value: - start - connection - if: "['pending'].contains(ctx.sophosxg?.firewall?.reason)" + if: "['pending'].contains(ctx.sophos?.xg?.reason)" - append: field: event.type - value: + value: - end - connection - if: "ctx.sophosxg?.firewall?.reason == 'eligible'" + if: "ctx.sophos?.xg?.reason == 'eligible'" - append: field: event.type value: - denied - connection - if: "ctx.sophosxg?.firewall?.log_subtype == 'Denied'" + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - rename: - field: sophosxg.firewall.log_id + field: sophos.xg.log_id target_field: event.code ignore_missing: true if: "ctx.event?.code == null" @@ -60,45 +60,45 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.src_ip + field: sophos.xg.src_ip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.src_ip != null" + if: "ctx.sophos?.xg?.src_ip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" ###################### ## ECS File Mapping ## ###################### - rename: - field: sophoxg.firewall.filename + field: sophos.xg.filename target_field: file.name ignore_missing: true - if: "ctx.sophoxg?.firewall?.filename != null" + if: "ctx.sopho?.xg?.filename != null" - convert: - field: sophosxg.firewall.filesize + field: sophos.xg.filesize target_field: file.size type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.filesize != null" + if: "ctx.sophos?.xg?.filesize != null" - rename: - field: sophosxg.firewall.filetype + field: sophos.xg.filetype target_field: file.mime_type ignore_missing: true - if: "ctx.sophosxg?.firewall?.filetype != null" + if: "ctx.sophos?.xg?.filetype != null" - rename: - field: sophosxg.firewall.sha1sum + field: sophos.xg.sha1sum target_field: file.hash.sha1 ignore_missing: true - if: "ctx.sophosxg?.firewall?.sha1sum != null" + if: "ctx.sophos?.xg?.sha1sum != null" ######################### ## ECS Related Mapping ## @@ -117,7 +117,7 @@ processors: if: "ctx.file?.hash?.sha1 != null" - remove: field: - - sophosxg.firewall.filesize + - sophos.xg.filesize ignore_missing: true ############# ## Cleanup ## @@ -125,4 +125,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml similarity index 74% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml rename to x-pack/filebeat/module/sophos/xg/ingest/waf.yml index 35424bd3377..3cbf1383467 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/waf.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml @@ -9,90 +9,90 @@ processors: - set: field: event.action value: allowed - if: 'ctx.sophosxg?.firewall?.reason == "-"' + if: 'ctx.sophos?.xg?.reason == "-"' - set: field: event.action value: denied - if: 'ctx.sophosxg?.firewall?.reason != "-"' + if: 'ctx.sophos?.xg?.reason != "-"' - set: field: event.outcome value: success - if: "ctx.sophosxg?.firewall?.reason != null" + if: "ctx.sophos?.xg?.reason != null" - set: field: event.kind value: alert - if: 'ctx.sophosxg?.firewall?.reason != "-"' + if: 'ctx.sophos?.xg?.reason != "-"' - append: field: event.category value: - malware - network - if: 'ctx.sophosxg?.firewall?.reason == "Antivirus"' + if: 'ctx.sophos?.xg?.reason == "Antivirus"' - append: field: event.category value: - intrusion_detection - network - if: "ctx.sophosxg?.firewall?.reason != 'Antivirus' && ctx.sophosxg?.firewall?.reason != '-'" + if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" - append: field: event.type value: - allowed - connection - if: 'ctx.sophosxg?.firewall?.reason == "-"' + if: 'ctx.sophos?.xg?.reason == "-"' - append: field: event.type value: - denied - connection - if: 'ctx.sophosxg?.firewall?.reason != "-"' + if: 'ctx.sophos?.xg?.reason != "-"' #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: sophosxg.firewall.localip + field: sophos.xg.localip target_field: destination.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.localip != null" + if: "ctx.sophos?.xg?.localip != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - convert: - field: sophosxg.firewall.bytessent + field: sophos.xg.bytessent target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.bytessent != null" + if: "ctx.sophos?.xg?.bytessent != null" - convert: - field: sophosxg.firewall.bytessent + field: sophos.xg.bytessent target_field: server.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.bytessent != null" + if: "ctx.sophos?.xg?.bytessent != null" ############################### ## ECS Client/Source Mapping ## ############################### - rename: - field: sophosxg.firewall.sourceip + field: sophos.xg.sourceip target_field: source.ip ignore_missing: true - if: "ctx.sophosxg?.firewall?.sourceip != null" + if: "ctx.sophos?.xg?.sourceip != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - convert: - field: sophosxg.firewall.bytesrcv + field: sophos.xg.bytesrcv target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.bytesrcv != null" + if: "ctx.sophos?.xg?.bytesrcv != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -105,60 +105,60 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - rename: - field: sophosxg.firewall.user_name + field: sophos.xg.user_name target_field: source.user.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_name != null" + if: "ctx.sophos?.xg?.user_name != null" - rename: - field: sophosxg.firewall.user_gp + field: sophos.xg.user_gp target_field: source.user.group.name ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_gp != null" + if: "ctx.sophos?.xg?.user_gp != null" ##################### ## ECS URL Mapping ## ##################### - rename: - field: sophosxg.firewall.url + field: sophos.xg.url target_field: url.full ignore_missing: true - if: "ctx.sophosxg?.firewall?.url != null" + if: "ctx.sophos?.xg?.url != null" - rename: - field: sophosxg.firewall.domain + field: sophos.xg.domain target_field: url.domain ignore_missing: true - if: "ctx.sophosxg?.firewall?.domain != null" + if: "ctx.sophos?.xg?.domain != null" ############################ ## ECS User Agent Mapping ## ############################ - rename: - field: sophosxg.firewall.referer + field: sophos.xg.referer target_field: http.request.referrer ignore_missing: true - if: "ctx.sophosxg?.firewall?.referer != null" + if: "ctx.sophos?.xg?.referer != null" - convert: - field: sophosxg.firewall.httpstatus + field: sophos.xg.httpstatus target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.sophosxg?.firewall?.httpstatus != null" + if: "ctx.sophos?.xg?.httpstatus != null" - rename: - field: sophosxg.firewall.method + field: sophos.xg.method target_field: http.request.method ignore_missing: true - if: "ctx.sophosxg?.firewall?.method != null" + if: "ctx.sophos?.xg?.method != null" - rename: - field: sophosxg.firewall.ws_protocol + field: sophos.xg.ws_protocol target_field: http.version ignore_missing: true - if: "ctx.sophosxg?.firewall?.ws_protocol != null" + if: "ctx.sophos?.xg?.ws_protocol != null" - rename: - field: sophosxg.firewall.useragent + field: sophos.xg.useragent target_field: user_agent.original ignore_missing: true - if: "ctx.sophosxg?.firewall?.useragent != null" + if: "ctx.sophos?.xg?.useragent != null" ############################# ## ECS Network/Geo Mapping ## @@ -265,11 +265,11 @@ processors: ############# - remove: field: - - sophosxg.firewall.bytesrcv - - sophosxg.firewall.bytessent - - sophosxg.firewall.httpstatus + - sophos.xg.bytesrcv + - sophos.xg.bytessent + - sophos.xg.httpstatus ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml similarity index 84% rename from x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml rename to x-pack/filebeat/module/sophos/xg/ingest/wifi.yml index 009c7171849..a5ddc7859bb 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/wifi.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml @@ -9,7 +9,7 @@ processors: - set: field: event.outcome value: success - if: 'ctx?.sophosxg?.firewall?.log_type == "Wireless Protection"' + if: 'ctx?.sophos?.xg?.log_type == "Wireless Protection"' ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml b/x-pack/filebeat/module/sophos/xg/manifest.yml similarity index 88% rename from x-pack/filebeat/module/sophosxg/firewall/manifest.yml rename to x-pack/filebeat/module/sophos/xg/manifest.yml index dd05b5c4982..5bf74158cee 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/manifest.yml +++ b/x-pack/filebeat/module/sophos/xg/manifest.yml @@ -4,7 +4,7 @@ var: - name: syslog_host default: localhost - name: tags - default: [sophosxg-firewall, forwarded] + default: [sophos-xg, forwarded] - name: syslog_port default: 9005 - name: input @@ -29,10 +29,9 @@ ingest_pipeline: - ingest/event.yml - ingest/waf.yml - ingest/antispam.yml - - ingest/systemhealth.yml - ingest/wifi.yml -input: config/firewall.yml +input: config/config.yml requires.processors: - name: geoip diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log rename to x-pack/filebeat/module/sophos/xg/test/anti-spam.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json similarity index 68% rename from x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 6c5a0d087fb..90a40d0b095 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -11,9 +11,9 @@ "network" ], "event.code": "041101618035", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "6", @@ -22,7 +22,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -34,28 +34,28 @@ "observer.vendor": "Sophos", "server.bytes": 0, "server.port": 0, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "None", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.email_subject": "*ALERT* Sophos XG Firewall", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "qkW2Y6-LxBk6U-vH-1590055245", - "sophosxg.firewall.mailsize": "19728", - "sophosxg.firewall.message_id": "18035", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.reason": "Email has been accepted by Device and queued for scanning.", - "sophosxg.firewall.spamaction": "QUEUED", + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.email_subject": "*ALERT* Sophos XG Firewall", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophos.xg.mailsize": "19728", + "sophos.xg.message_id": "18035", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "Email has been accepted by Device and queued for scanning.", + "sophos.xg.spamaction": "QUEUED", "source.bytes": 0, "source.domain": "elasticuser.com", "source.port": 0, "source.user.email": "firewall@firewallgate.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -82,9 +82,9 @@ "network" ], "event.code": "041105613003", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "event.outcome": "success", "event.severity": "4", @@ -265,7 +265,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", @@ -278,24 +278,24 @@ "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "rule3", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "DEU", - "sophosxg.firewall.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", - "sophosxg.firewall.fw_rule_id": "22", - "sophosxg.firewall.log_component": "SMTPS", - "sophosxg.firewall.log_subtype": "Probable Spam", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", - "sophosxg.firewall.mailsize": "1032152", - "sophosxg.firewall.message_id": "13004", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.quarantine_reason": "RBL", - "sophosxg.firewall.reason": "Sender IP address is blacklisted.", - "sophosxg.firewall.spamaction": "Prefix Subject", - "sophosxg.firewall.src_country_code": "GBR", + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophos.xg.fw_rule_id": "22", + "sophos.xg.log_component": "SMTPS", + "sophos.xg.log_subtype": "Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophos.xg.mailsize": "1032152", + "sophos.xg.message_id": "13004", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "RBL", + "sophos.xg.reason": "Sender IP address is blacklisted.", + "sophos.xg.spamaction": "Prefix Subject", + "sophos.xg.src_country_code": "GBR", "source.as.number": 12488, "source.as.organization.name": "Krystal Hosting Ltd", "source.bytes": 0, @@ -308,7 +308,7 @@ "source.port": 55002, "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -327,9 +327,9 @@ "network" ], "event.code": "041113413005", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "event.outcome": "success", "event.severity": "4", @@ -339,7 +339,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -352,31 +352,31 @@ "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "Gaurav123", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Outbound Spam", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "", - "sophosxg.firewall.mailsize": "405", - "sophosxg.firewall.message_id": "13005", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.quarantine_reason": "Spam", - "sophosxg.firewall.spamaction": "Accept", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.user_name": "gaurav", + "service.type": "sophos", + "sophos.xg.av_policy_name": "Gaurav123", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "405", + "sophos.xg.message_id": "13005", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", "source.bytes": 0, "source.domain": " iview.com", "source.ip": "10.198.47.71", "source.port": 22420, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -395,9 +395,9 @@ "network" ], "event.code": "041114413006", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "event.outcome": "success", "event.severity": "4", @@ -407,7 +407,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -420,31 +420,31 @@ "server.bytes": 0, "server.ip": "10.198.234.240", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "rule 8", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "RPD Spam test: Bulk", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Outbound Probable Spam", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "", - "sophosxg.firewall.mailsize": "439", - "sophosxg.firewall.message_id": "13006", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.quarantine_reason": "Spam", - "sophosxg.firewall.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", - "sophosxg.firewall.spamaction": "Drop", - "sophosxg.firewall.src_country_code": "R1", + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule 8", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam test: Bulk", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "439", + "sophos.xg.message_id": "13006", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophos.xg.spamaction": "Drop", + "sophos.xg.src_country_code": "R1", "source.bytes": 0, "source.domain": "postman.local", "source.ip": "10.198.16.121", "source.port": 58043, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -463,9 +463,9 @@ "network" ], "event.code": "041121613009", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "event.outcome": "success", "event.severity": "6", @@ -475,7 +475,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -488,31 +488,31 @@ "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "postman", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "Fwd: TESt", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "DLP", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "c0000002-1528269606", - "sophosxg.firewall.mailsize": "5041", - "sophosxg.firewall.message_id": "13009", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.quarantine_reason": "DLP", - "sophosxg.firewall.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", - "sophosxg.firewall.spamaction": "DROP", - "sophosxg.firewall.src_country_code": "R1", + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: TESt", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "DLP", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000002-1528269606", + "sophos.xg.mailsize": "5041", + "sophos.xg.message_id": "13009", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "DLP", + "sophos.xg.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", "source.bytes": 0, "source.domain": "postman.local", "source.ip": "10.198.16.121", "source.port": 60134, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -530,9 +530,9 @@ "network" ], "event.code": "041122613010", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "6", @@ -541,7 +541,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -554,31 +554,31 @@ "server.bytes": 0, "server.ip": "10.198.16.204", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "None", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "[secure:pankhil]", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "SPX", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "c0000003-1528269693", - "sophosxg.firewall.mailsize": "442", - "sophosxg.firewall.message_id": "13010", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.reason": "SPX Template of type Specified by Sender successfully applied on Email.", - "sophosxg.firewall.spamaction": "Accept", - "sophosxg.firewall.src_country_code": "R1", + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "[secure:pankhil]", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "SPX", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000003-1528269693", + "sophos.xg.mailsize": "442", + "sophos.xg.message_id": "13010", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", "source.bytes": 0, "source.domain": "postman.local", "source.ip": "10.198.16.121", "source.port": 60298, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -596,9 +596,9 @@ "network" ], "event.code": "041123413012", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "4", @@ -608,7 +608,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -621,27 +621,27 @@ "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "None", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Dos", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailsize": "0", - "sophosxg.firewall.message_id": "13012", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.reason": "SMTP DoS", - "sophosxg.firewall.spamaction": "TMPREJECT", - "sophosxg.firewall.src_country_code": "R1", + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Dos", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "13012", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SMTP DoS", + "sophos.xg.spamaction": "TMPREJECT", + "sophos.xg.src_country_code": "R1", "source.bytes": 0, "source.ip": "10.198.16.121", "source.port": 60392, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -660,9 +660,9 @@ "network" ], "event.code": "041102413014", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "event.outcome": "success", "event.severity": "4", @@ -672,7 +672,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -685,30 +685,30 @@ "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "postman", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.email_subject": "Fwd: test sand", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "c0000008-1528270010", - "sophosxg.firewall.mailsize": "419835", - "sophosxg.firewall.message_id": "13014", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.reason": "Email is marked Malicious by Sophos Sandstorm.", - "sophosxg.firewall.spamaction": "DROP", - "sophosxg.firewall.src_country_code": "R1", + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: test sand", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000008-1528270010", + "sophos.xg.mailsize": "419835", + "sophos.xg.message_id": "13014", + "sophos.xg.priority": "Warning", + "sophos.xg.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", "source.bytes": 0, "source.domain": "postman.local", "source.ip": "10.198.16.121", "source.port": 60608, "source.user.email": "pankhil1@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -727,9 +727,9 @@ "network" ], "event.code": "041207414001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "4", @@ -739,7 +739,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -752,32 +752,32 @@ "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 110, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "GauravPatel", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.dst_domainname": "iview.com", - "sophosxg.firewall.email_subject": "RPD Spam Test: Spam", - "sophosxg.firewall.fw_rule_id": "0", - "sophosxg.firewall.log_component": "POP3", - "sophosxg.firewall.log_subtype": "Spam", - "sophosxg.firewall.log_type": "Anti-Spam", - "sophosxg.firewall.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", - "sophosxg.firewall.mailsize": "574", - "sophosxg.firewall.message_id": "14001", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.spamaction": "Accept", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.user_name": "gaurav", + "service.type": "sophos", + "sophos.xg.av_policy_name": "GauravPatel", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.dst_domainname": "iview.com", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "POP3", + "sophos.xg.log_subtype": "Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophos.xg.mailsize": "574", + "sophos.xg.message_id": "14001", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", "source.bytes": 0, "source.domain": " iview.com", "source.ip": "10.198.47.71", "source.port": 22333, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log rename to x-pack/filebeat/module/sophos/xg/test/anti-virus.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json similarity index 74% rename from x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index 5bf1d7401dc..a78e27fa46e 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -22,9 +22,9 @@ "network" ], "event.code": "030906208001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "event.outcome": "success", "event.severity": "2", @@ -34,7 +34,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "http.response.status_code": 403, "input.type": "log", @@ -53,23 +53,23 @@ "server.bytes": 1616, "server.ip": "13.226.155.93", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "USA", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.message_id": "08001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.virus": "Sandstorm", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "Sandstorm", "source.bytes": 550, "source.ip": "172.16.34.24", "source.port": 57695, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "sophostest.com", @@ -99,9 +99,9 @@ "network" ], "event.code": "030906208001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "event.outcome": "success", "event.severity": "2", @@ -111,7 +111,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "http.response.status_code": 403, "input.type": "log", @@ -130,23 +130,23 @@ "server.bytes": 553, "server.ip": "13.226.155.18", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "USA", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.message_id": "08001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.virus": "EICAR-AV-Test", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test", "source.bytes": 541, "source.ip": "172.16.34.24", "source.port": 57835, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "sophostest.com", @@ -174,9 +174,9 @@ "network" ], "event.code": "031106210001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "event.outcome": "success", "event.severity": "2", @@ -186,7 +186,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "critical", @@ -204,22 +204,22 @@ "server.bytes": 0, "server.ip": "186.8.209.194", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "default-smtp-av", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "DEU", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", - "sophosxg.firewall.mailsize": "2254721", - "sophosxg.firewall.message_id": "10001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.quarantine_reason": "Infected", - "sophosxg.firewall.src_country_code": "DEU", - "sophosxg.firewall.subject": "ZAHLUNG (PROFORMA INVOICE)", - "sophosxg.firewall.virus": "TR/AD.AgentTesla.eaz", + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophos.xg.mailsize": "2254721", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophos.xg.virus": "TR/AD.AgentTesla.eaz", "source.as.number": 8560, "source.as.organization.name": "1&1 Ionos Se", "source.bytes": 0, @@ -231,7 +231,7 @@ "source.port": 56336, "source.user.email": "info@farasamed.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "farasamed.com" @@ -257,9 +257,9 @@ "network" ], "event.code": "031106210001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "event.outcome": "success", "event.severity": "2", @@ -269,7 +269,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "critical", @@ -287,22 +287,22 @@ "server.bytes": 0, "server.ip": "185.7.209.194", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "default-smtp-av", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "DEU", - "sophosxg.firewall.log_component": "SMTP", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", - "sophosxg.firewall.mailsize": "537457", - "sophosxg.firewall.message_id": "10001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.quarantine_reason": "Infected", - "sophosxg.firewall.src_country_code": "USA", - "sophosxg.firewall.subject": "Re: NEW PRO-FORMA INVOICE", - "sophosxg.firewall.virus": "Mal/BredoZp-B", + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophos.xg.mailsize": "537457", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "USA", + "sophos.xg.subject": "Re: NEW PRO-FORMA INVOICE", + "sophos.xg.virus": "Mal/BredoZp-B", "source.as.number": 54290, "source.as.organization.name": "Hostwinds LLC.", "source.bytes": 0, @@ -317,7 +317,7 @@ "source.port": 54693, "source.user.email": "spedizioni@divella.it", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "divella.it" @@ -337,9 +337,9 @@ "network" ], "event.code": "036106211001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "2", @@ -349,7 +349,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -367,28 +367,28 @@ "server.bytes": 0, "server.ip": "10.198.234.240", "server.port": 995, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "None", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.log_component": "POPS", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.mailid": "", - "sophosxg.firewall.mailsize": "0", - "sophosxg.firewall.message_id": "11001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.subject": "EICAR", - "sophosxg.firewall.virus": "EICAR-AV-Test", + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "POPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "11001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR", + "sophos.xg.virus": "EICAR-AV-Test", "source.bytes": 0, "source.ip": "10.198.16.121", "source.port": 56653, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "postman.local" @@ -408,9 +408,9 @@ "network" ], "event.code": "036206212001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "event.outcome": "success", "event.severity": "2", @@ -420,7 +420,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -438,28 +438,28 @@ "server.bytes": 0, "server.ip": "10.198.234.240", "server.port": 993, - "service.type": "sophosxg", - "sophosxg.firewall.av_policy_name": "None", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.log_component": "IMAPS", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", - "sophosxg.firewall.mailsize": "0", - "sophosxg.firewall.message_id": "12001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.quarantine_reason": "Other", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.subject": "EICAR test email", - "sophosxg.firewall.virus": "EICAR-AV-Test", + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "IMAPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "12001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR test email", + "sophos.xg.virus": "EICAR-AV-Test", "source.bytes": 0, "source.ip": "10.198.16.121", "source.port": 56632, "source.user.email": "pankhil@postman.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "postman.local" @@ -478,9 +478,9 @@ "network" ], "event.code": "031006209001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "event.outcome": "success", "event.severity": "2", @@ -493,7 +493,7 @@ "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", "file.size": 0, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -511,23 +511,23 @@ "server.bytes": 0, "server.ip": "10.8.142.181", "server.port": 21, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.ftpcommand": "STOR", - "sophosxg.firewall.log_component": "FTP", - "sophosxg.firewall.log_subtype": "Virus", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.message_id": "09001", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.ftpcommand": "STOR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", "source.bytes": 0, "source.ip": "10.146.13.49", "source.port": 39910, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -544,9 +544,9 @@ "network" ], "event.code": "031001609002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "event.outcome": "success", "event.severity": "6", @@ -558,7 +558,7 @@ "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", "file.size": 19926248, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -576,21 +576,21 @@ "server.bytes": 19926248, "server.ip": "10.8.142.181", "server.port": 21, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.ftpcommand": "RETR", - "sophosxg.firewall.log_component": "FTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Anti-Virus", - "sophosxg.firewall.message_id": "09002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.ftpcommand": "RETR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09002", + "sophos.xg.priority": "Information", + "sophos.xg.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", "source.bytes": 0, "source.ip": "10.146.13.49", "source.port": 39936, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log b/x-pack/filebeat/module/sophos/xg/test/atp.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/atp.log rename to x-pack/filebeat/module/sophos/xg/test/atp.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json similarity index 78% rename from x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index c2eeb697b8d..7dbb6289456 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -17,10 +17,10 @@ "network" ], "event.code": "086304418010", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "event.outcome": "success", "event.severity": "4", @@ -29,7 +29,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -48,21 +48,21 @@ ], "server.ip": "46.161.30.47", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.eventtype": "Standard", - "sophosxg.firewall.log_component": "Firewall", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "ATP", - "sophosxg.firewall.message_id": "18010", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.threatname": "C2/Generic-A", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", "source.ip": "10.198.47.71", "source.port": 22623, "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.original": "46.161.30.47" @@ -88,10 +88,10 @@ "network" ], "event.code": "086504418010", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "4", @@ -100,7 +100,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", @@ -116,20 +116,20 @@ ], "server.ip": "13.226.155.22", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.eventtype": "Standard", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "ATP", - "sophosxg.firewall.message_id": "18010", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.threatname": "C2/Generic-A", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", "source.ip": "172.16.34.24", "source.port": 57579, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" @@ -155,10 +155,10 @@ "network" ], "event.code": "086504418010", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "event.outcome": "success", "event.severity": "4", @@ -167,7 +167,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", @@ -183,20 +183,20 @@ ], "server.ip": "13.226.155.22", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.eventtype": "Standard", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "ATP", - "sophosxg.firewall.message_id": "18010", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.threatname": "C2/Generic-A", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", "source.ip": "172.16.34.24", "source.port": 57540, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.original": "http://sophostest.com/callhome/index.html" @@ -219,10 +219,10 @@ "network" ], "event.code": "086320518009", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "event.outcome": "success", "event.severity": "5", @@ -231,7 +231,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", @@ -247,20 +247,20 @@ ], "server.ip": "82.211.30.202", "server.port": 0, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG310", - "sophosxg.firewall.eventtype": "Standard", - "sophosxg.firewall.log_component": "Firewall", - "sophosxg.firewall.log_subtype": "Alert", - "sophosxg.firewall.log_type": "ATP", - "sophosxg.firewall.message_id": "18009", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.threatname": "C2/Generic-A", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18009", + "sophos.xg.priority": "Notice", + "sophos.xg.threatname": "C2/Generic-A", "source.ip": "10.198.32.89", "source.port": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.original": "82.211.30.202" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log b/x-pack/filebeat/module/sophos/xg/test/cfilter.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log rename to x-pack/filebeat/module/sophos/xg/test/cfilter.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json similarity index 73% rename from x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 17a26c9f3cd..a82d4550f57 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -16,9 +16,9 @@ "network" ], "event.code": "050901616001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "event.outcome": "success", "event.severity": "6", @@ -27,7 +27,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -46,24 +46,24 @@ ], "server.ip": "182.79.221.19", "server.port": 443, - "service.type": "sophosxg", - "sophosxg.firewall.category": "Entertainment", - "sophosxg.firewall.category_type": "Unproductive", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.iap": "1", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16001", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.category": "Entertainment", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "1", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", "source.ip": "10.198.47.71", "source.port": 9444, "source.user.group.name": "Open Group", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", @@ -90,9 +90,9 @@ "network" ], "event.code": "050902616002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "event.outcome": "success", "event.severity": "6", @@ -102,7 +102,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -118,18 +118,18 @@ ], "server.ip": "216.58.197.44", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.category": "Religion & Spirituality", - "sophosxg.firewall.category_type": "Unproductive", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG115", - "sophosxg.firewall.fw_rule_id": "1", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16002", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.category": "Religion & Spirituality", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", "source.as.number": 6805, "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", @@ -139,7 +139,7 @@ "source.ip": "5.5.5.15", "source.port": 46719, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "hanuman.com", @@ -163,9 +163,9 @@ "network" ], "event.code": "054402617051", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "event.outcome": "success", "event.severity": "6", @@ -175,7 +175,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -191,24 +191,24 @@ ], "server.ip": "74.125.130.188", "server.port": 5228, - "service.type": "sophosxg", - "sophosxg.firewall.application_category": "Mobile Applications", - "sophosxg.firewall.application_filter_policy": "8", - "sophosxg.firewall.application_name": "Gtalk Android", - "sophosxg.firewall.application_risk": "4", - "sophosxg.firewall.application_technology": "Client Server", - "sophosxg.firewall.category": "Mobile Applications", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG115", - "sophosxg.firewall.dst_country_code": "USA", - "sophosxg.firewall.fw_rule_id": "1", - "sophosxg.firewall.log_component": "Application", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "17051", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.src_country_code": "DEU", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.application_category": "Mobile Applications", + "sophos.xg.application_filter_policy": "8", + "sophos.xg.application_name": "Gtalk Android", + "sophos.xg.application_risk": "4", + "sophos.xg.application_technology": "Client Server", + "sophos.xg.category": "Mobile Applications", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.log_component": "Application", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "17051", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.status": "Deny", "source.as.number": 6805, "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", @@ -218,7 +218,7 @@ "source.ip": "5.5.5.15", "source.port": 49128, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -242,9 +242,9 @@ "network" ], "event.code": "050901616001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", @@ -253,7 +253,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "http.response.status_code": "400", "input.type": "log", @@ -270,24 +270,24 @@ ], "server.ip": "13.79.168.201", "server.port": 443, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.category": "Information Technology", - "sophosxg.firewall.category_type": "Acceptable", - "sophosxg.firewall.con_id": "80042000", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16001", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "80042000", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", "source.ip": "172.17.34.10", "source.port": 62851, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "his-eur1-neur1.servicebus.windows.net", @@ -314,9 +314,9 @@ "network" ], "event.code": "050902616002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", @@ -326,7 +326,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "http.response.status_code": "200", "input.type": "log", @@ -343,24 +343,24 @@ ], "server.ip": "40.90.137.127", "server.port": 443, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.category": "IPAddress", - "sophosxg.firewall.category_type": "Acceptable", - "sophosxg.firewall.con_id": "642960832", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.fw_rule_id": "51", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16002", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "IPAddress", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "642960832", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "51", + "sophos.xg.iap": "2", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", "source.ip": "172.16.34.15", "source.port": 60471, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "40.90.137.127", @@ -386,9 +386,9 @@ "network" ], "event.code": "050901616001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event.outcome": "success", "event.severity": "6", @@ -397,7 +397,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "http.response.status_code": "304", "input.type": "log", @@ -414,25 +414,25 @@ ], "server.ip": "91.228.167.133", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.category": "Information Technology", - "sophosxg.firewall.category_type": "Acceptable", - "sophosxg.firewall.con_id": "248426360", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.exceptions": "av,https,sandstorm", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16001", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "248426360", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.exceptions": "av,https,sandstorm", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", "source.ip": "172.17.34.15", "source.port": 65391, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "update.eset.com", @@ -447,14 +447,14 @@ "network" ], "event.code": "058420116010", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "event.outcome": "success", "event.severity": "1", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "alert", @@ -466,27 +466,27 @@ "related.ip": [ "10.108.108.49" ], - "service.type": "sophosxg", - "sophosxg.firewall.action": "Deny", - "sophosxg.firewall.context_match": "Not", - "sophosxg.firewall.context_prefix": "blah blah hello ", - "sophosxg.firewall.context_suffix": " hello blah ", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SF01V", - "sophosxg.firewall.dictionary_name": "complicated_Custom", - "sophosxg.firewall.direction": "in", - "sophosxg.firewall.file_name": "cgi_echo.pl", - "sophosxg.firewall.log_component": "Web Content Policy", - "sophosxg.firewall.log_subtype": "Alert", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16010", - "sophosxg.firewall.site_category": "Information Technology", - "sophosxg.firewall.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "sophosxg.firewall.user": "gi123456", - "sophosxg.firewall.website": "ta-web-static-testing.qa. astaro.de", + "service.type": "sophos", + "sophos.xg.action": "Deny", + "sophos.xg.context_match": "Not", + "sophos.xg.context_prefix": "blah blah hello ", + "sophos.xg.context_suffix": " hello blah ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dictionary_name": "complicated_Custom", + "sophos.xg.direction": "in", + "sophos.xg.file_name": "cgi_echo.pl", + "sophos.xg.log_component": "Web Content Policy", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16010", + "sophos.xg.site_category": "Information Technology", + "sophos.xg.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophos.xg.user": "gi123456", + "sophos.xg.website": "ta-web-static-testing.qa. astaro.de", "source.ip": "10.108.108.49", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -507,9 +507,9 @@ "network" ], "event.code": "050927616005", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "event.outcome": "success", "event.severity": "6", @@ -518,7 +518,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -537,25 +537,25 @@ ], "server.ip": "64.233.189.147", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.activityname": " Search", - "sophosxg.firewall.category": "Search Engines", - "sophosxg.firewall.category_type": "Acceptable", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SFVUNL", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Warned", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16005", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.activityname": " Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Warned", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16005", + "sophos.xg.priority": "Information", "source.ip": "192.168.73.220", "source.port": 37832, "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "www.google.com", @@ -578,9 +578,9 @@ "network" ], "event.code": "050901616006", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "event.outcome": "success", "event.severity": "6", @@ -589,7 +589,7 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -608,27 +608,27 @@ ], "server.ip": "64.233.188.94", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.activityname": "Search", - "sophosxg.firewall.category": "Search Engines", - "sophosxg.firewall.category_type": "Acceptable", - "sophosxg.firewall.contenttype": "text/html", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SFVUNL", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.iap": "13", - "sophosxg.firewall.log_component": "HTTP", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Content Filtering", - "sophosxg.firewall.message_id": "16006", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "not eligible", + "service.type": "sophos", + "sophos.xg.activityname": "Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16006", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "not eligible", "source.ip": "192.168.73.220", "source.port": 46322, "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.domain": "www.google.ca", diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log b/x-pack/filebeat/module/sophos/xg/test/event.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/event.log rename to x-pack/filebeat/module/sophos/xg/test/event.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json similarity index 68% rename from x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 85d4233908d..d14c2bb9924 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -6,9 +6,9 @@ "authentication" ], "event.code": "062910617701", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", "event.outcome": "success", "event.severity": "6", @@ -17,7 +17,7 @@ "user", "start" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -33,22 +33,22 @@ "related.user": [ "elastic.user@elastic.test.com" ], - "service.type": "sophosxg", - "sophosxg.firewall.auth_client": "CTA", - "sophosxg.firewall.auth_mechanism": "AD", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "Firewall Authentication", - "sophosxg.firewall.log_subtype": "Authentication", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17701", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.auth_client": "CTA", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17701", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", "source.ip": "172.17.35.116", "source.user.group.name": "Open Group", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -63,13 +63,13 @@ "destination.geo.location.lon": -97.822, "destination.ip": "214.167.51.66", "event.code": "062511418055", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", "event.severity": "4", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", @@ -87,19 +87,19 @@ "elastic.user@elastic.test.com" ], "server.ip": "214.167.51.66", - "service.type": "sophosxg", - "sophosxg.firewall.connectionname": "Location-1", - "sophosxg.firewall.connectiontype": "0", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.localnetwork": "172.17.32.0/19", - "sophosxg.firewall.log_component": "IPSec", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18055", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.remotenetwork": "10.84.234.5/32", - "sophosxg.firewall.status": "Failed", + "service.type": "sophos", + "sophos.xg.connectionname": "Location-1", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.localnetwork": "172.17.32.0/19", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18055", + "sophos.xg.priority": "Warning", + "sophos.xg.remotenetwork": "10.84.234.5/32", + "sophos.xg.status": "Failed", "source.as.number": 5617, "source.as.organization.name": "Orange Polska Spolka Akcyjna", "source.geo.city_name": "Elblag", @@ -112,20 +112,20 @@ "source.ip": "83.20.132.250", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2020-05-18T14:38:59.000-02:00", "event.code": "062511318057", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "event.severity": "3", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "error", @@ -135,18 +135,18 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.connectiontype": "0", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "IPSec", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18057", - "sophosxg.firewall.priority": "Error", - "sophosxg.firewall.status": "Expire", + "service.type": "sophos", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18057", + "sophos.xg.priority": "Error", + "sophos.xg.status": "Expire", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -157,9 +157,9 @@ "authentication" ], "event.code": "063210617704", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "event.outcome": "success", "event.severity": "6", @@ -168,7 +168,7 @@ "user", "start" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -184,16 +184,16 @@ "related.user": [ "elastic.user@elastic.test.com" ], - "service.type": "sophosxg", - "sophosxg.firewall.auth_mechanism": "Local", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "My Account Authentication", - "sophosxg.firewall.log_subtype": "Authentication", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17704", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.auth_mechanism": "Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "My Account Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17704", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", "source.as.number": 5617, "source.as.organization.name": "Orange Polska Spolka Akcyjna", "source.geo.city_name": "August\u00f3w", @@ -206,7 +206,7 @@ "source.ip": "83.9.140.96", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -217,16 +217,16 @@ "malware" ], "event.code": "064011517819", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "event.severity": "5", "event.timezone": "-02:00", "event.type": [ "info" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", @@ -236,32 +236,32 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "Anti-Virus", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17819", - "sophosxg.firewall.newversion": "1.0.407795 ", - "sophosxg.firewall.oldversion": "1.0.407794", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Anti-Virus", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17819", + "sophos.xg.newversion": "1.0.407795 ", + "sophos.xg.oldversion": "1.0.407794", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2020-05-18T14:39:02.000-02:00", "event.code": "063411660022", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "event.severity": "6", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", @@ -271,19 +271,19 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.ipaddress": "192.168.110.10", - "sophosxg.firewall.log_component": "DHCP Server", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "60022", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.raw_data": "192.168.110.10", - "sophosxg.firewall.status": "Expire", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "192.168.110.10", + "sophos.xg.log_component": "DHCP Server", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "60022", + "sophos.xg.priority": "Information", + "sophos.xg.raw_data": "192.168.110.10", + "sophos.xg.status": "Expire", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -294,9 +294,9 @@ "authentication" ], "event.code": "063110617710", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "event.outcome": "success", "event.severity": "6", @@ -305,7 +305,7 @@ "user", "start" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -321,16 +321,16 @@ "related.user": [ "elastic.user@elastic.test.com" ], - "service.type": "sophosxg", - "sophosxg.firewall.auth_mechanism": "AD", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "SSL VPN Authentication", - "sophosxg.firewall.log_subtype": "Authentication", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17710", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "SSL VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17710", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", "source.as.number": 3320, "source.as.organization.name": "Deutsche Telekom AG", "source.geo.city_name": "Schleidweiler", @@ -343,7 +343,7 @@ "source.ip": "217.250.157.135", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -352,13 +352,13 @@ "client.bytes": 0, "destination.bytes": 0, "event.code": "062811617824", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "event.severity": "6", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -372,23 +372,23 @@ "elastic.user@elastic.test.com" ], "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.ipaddress": "10.82.234.5", - "sophosxg.firewall.log_component": "SSL VPN", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17824", - "sophosxg.firewall.priority": "Information Mode=\"Remote Access", - "sophosxg.firewall.remote_ip": "10.82.234.12", - "sophosxg.firewall.starttime": "0", - "sophosxg.firewall.status": "Established", - "sophosxg.firewall.timestamp": "1589960866", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "10.82.234.5", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17824", + "sophos.xg.priority": "Information Mode=\"Remote Access", + "sophos.xg.remote_ip": "10.82.234.12", + "sophos.xg.starttime": "0", + "sophos.xg.status": "Established", + "sophos.xg.timestamp": "1589960866", "source.bytes": 0, "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -399,14 +399,14 @@ "authentication" ], "event.code": "063010517708", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "event.outcome": "failure", "event.severity": "5", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", @@ -422,17 +422,17 @@ "related.user": [ "hendrikl" ], - "service.type": "sophosxg", - "sophosxg.firewall.auth_mechanism": "AD,AD,Local", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "VPN Authentication", - "sophosxg.firewall.log_subtype": "Authentication", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17708", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.reason": "wrong credentials", - "sophosxg.firewall.status": "Failed", + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD,AD,Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17708", + "sophos.xg.priority": "Notice", + "sophos.xg.reason": "wrong credentials", + "sophos.xg.status": "Failed", "source.as.number": 31334, "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", "source.geo.city_name": "Fell", @@ -445,20 +445,20 @@ "source.ip": "91.67.201.4", "source.user.name": "hendrikl", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2020-05-18T14:39:06.000-02:00", "event.code": "066911518017", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "event.severity": "5", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", @@ -468,19 +468,19 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "ATP", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "18017", - "sophosxg.firewall.newversion": "1.0.0298 ", - "sophosxg.firewall.oldversion": "1.0.0297", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "ATP", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18017", + "sophos.xg.newversion": "1.0.0298 ", + "sophos.xg.oldversion": "1.0.0297", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -488,14 +488,14 @@ "@timestamp": "2020-05-18T14:39:08.000-02:00", "client.ip": "172.66.35.15", "event.code": "062109517507", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", "event.outcome": "failure", "event.severity": "5", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", @@ -511,15 +511,15 @@ "related.user": [ "root" ], - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "CLI", - "sophosxg.firewall.log_subtype": "Admin", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17507", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Failed", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "CLI", + "sophos.xg.log_subtype": "Admin", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17507", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Failed", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -527,20 +527,20 @@ "source.ip": "172.66.35.15", "source.user.name": "root", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2020-05-18T14:39:09.000-02:00", "event.code": "063911517818", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "event.severity": "5", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", @@ -550,32 +550,32 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "IPS", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17818", - "sophosxg.firewall.newversion": "9.17.10 ", - "sophosxg.firewall.oldversion": "9.17.09", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Successful", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17818", + "sophos.xg.newversion": "9.17.10 ", + "sophos.xg.oldversion": "9.17.09", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2020-05-18T14:39:10.000-02:00", "event.code": "063311617923", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "event.severity": "6", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -585,17 +585,17 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.backup_mode": "'appliance' ", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "Appliance", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17923", - "sophosxg.firewall.priority": "Information", + "service.type": "sophos", + "sophos.xg.backup_mode": "'appliance' ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Appliance", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17923", + "sophos.xg.priority": "Information", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -609,9 +609,9 @@ "authentication" ], "event.code": "062910617703", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "event.outcome": "success", "event.severity": "6", @@ -621,7 +621,7 @@ "end", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", @@ -638,37 +638,37 @@ "elastic.user@elastic.test.com" ], "server.bytes": 0, - "service.type": "sophosxg", - "sophosxg.firewall.auth_client": "IPSec", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.log_component": "Firewall Authentication", - "sophosxg.firewall.log_subtype": "Authentication", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17703", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.start_time": "1591086575", - "sophosxg.firewall.status": "Successful", - "sophosxg.firewall.timestamp": "1591086576", + "service.type": "sophos", + "sophos.xg.auth_client": "IPSec", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17703", + "sophos.xg.priority": "Information", + "sophos.xg.start_time": "1591086575", + "sophos.xg.status": "Successful", + "sophos.xg.timestamp": "1591086576", "source.bytes": 0, "source.ip": "10.84.234.38", "source.user.group.name": "VPN.SSL.Users.elastic", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "event.severity": "5", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", @@ -678,19 +678,19 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG430", - "sophosxg.firewall.host": "test1. customtest.dyndns.org", - "sophosxg.firewall.log_component": "DDNS", - "sophosxg.firewall.log_subtype": "System", - "sophosxg.firewall.log_type": "Event", - "sophosxg.firewall.message_id": "17815", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Success", - "sophosxg.firewall.updatedip": "10.198.232.86", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.host": "test1. customtest.dyndns.org", + "sophos.xg.log_component": "DDNS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17815", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Success", + "sophos.xg.updatedip": "10.198.232.86", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/firewall.log rename to x-pack/filebeat/module/sophos/xg/test/firewall.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json similarity index 74% rename from x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index b4de3f90788..d392790d795 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -26,19 +26,22 @@ "network" ], "event.code": "010101600001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 11000000000, + "event.end": "2020-05-18T14:38:48.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:37.000-02:00", "event.timezone": "-02:00", "event.type": [ "end", "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -68,28 +71,28 @@ "server.nat.port": 0, "server.packets": 5, "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_category": "General Internet", - "sophosxg.firewall.application_risk": "1", - "sophosxg.firewall.application_technology": "Browser Based", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.connevent": "Stop", - "sophosxg.firewall.connid": "1617925280", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "SVK", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.status": "Allow", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "General Internet", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Browser Based", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617925280", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", "source.as.number": 8905, "source.as.organization.name": "Digit One LLC", "source.bytes": 459, @@ -104,7 +107,7 @@ "source.packets": 6, "source.port": 62841, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -135,19 +138,22 @@ "network" ], "event.code": "010101600001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:38.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:38.000-02:00", "event.timezone": "-02:00", "event.type": [ "start", "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", @@ -177,28 +183,28 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 53, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_category": "Infrastructure", - "sophosxg.firewall.application_risk": "1", - "sophosxg.firewall.application_technology": "Network Protocol", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.connevent": "Start", - "sophosxg.firewall.connid": "3360392048", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "SVK", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "15", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.status": "Allow", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "Infrastructure", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Network Protocol", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "3360392048", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "15", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", "source.as.number": 199567, "source.as.organization.name": "Fr. Sauter AG", "source.bytes": 0, @@ -216,7 +222,7 @@ "source.packets": 0, "source.port": 49144, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -238,18 +244,21 @@ "network" ], "event.code": "010102600002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:39.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:39.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -274,22 +283,22 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 4980, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "172.17.35.113", "source.mac": "24:01:c7:07:2b:a2", @@ -297,7 +306,7 @@ "source.packets": 0, "source.port": 53287, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -318,18 +327,21 @@ "network" ], "event.code": "010102600002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:40.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:40.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -357,22 +369,22 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 53, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.82.234.6", "source.nat.port": 0, @@ -381,7 +393,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -409,18 +421,21 @@ "network" ], "event.code": "010302602002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:41.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:41.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", @@ -444,22 +459,22 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 18, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Appliance Access", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "02002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.as.number": 16276, "source.as.organization.name": "OVH SAS", "source.bytes": 0, @@ -476,7 +491,7 @@ "source.packets": 0, "source.port": 55039, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -498,18 +513,21 @@ "network" ], "event.code": "010102600002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:42.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:42.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -537,22 +555,22 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 1109, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "172.17.35.101", "source.mac": "24:01:c7:07:2b:a2", @@ -562,7 +580,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -585,18 +603,21 @@ "network" ], "event.code": "010402403001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:43.000-02:00", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "4", + "event.start": "2020-05-18T14:38:43.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", @@ -620,22 +641,22 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 64465, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "DoS Attack", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "03001", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "172.16.36.105", "source.mac": "34:db:fd:83:d8:09", @@ -643,7 +664,7 @@ "source.packets": 0, "source.port": 3389, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -664,18 +685,21 @@ "network" ], "event.code": "012802605201", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:44.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:44.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -699,29 +723,29 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 56267, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "SSL VPN", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "05201", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05201", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.82.234.9", "source.nat.port": 0, "source.packets": 0, "source.port": 58331, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -743,19 +767,22 @@ "network" ], "event.code": "010101600001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-05-18T14:38:45.000-02:00", "event.timezone": "-02:00", "event.type": [ "start", "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", @@ -786,26 +813,26 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 443, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.connevent": "Start", - "sophosxg.firewall.connid": "1615935064", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "11", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.status": "Allow", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "1615935064", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "11", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", "source.bytes": 0, "source.ip": "10.84.234.7", "source.mac": "00:00:00:00:00:00", @@ -815,7 +842,7 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -835,19 +862,22 @@ "network" ], "event.code": "018201500005", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "5", + "event.start": "2020-05-18T14:38:45.000-02:00", "event.timezone": "-02:00", "event.type": [ "start", "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "notification", @@ -870,33 +900,33 @@ "server.ip": "172.17.32.19", "server.nat.port": 0, "server.packets": 0, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.connevent": "Interim", - "sophosxg.firewall.connid": "2685668438", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.icmp_code": "1", - "sophosxg.firewall.icmp_type": "3", - "sophosxg.firewall.ips_policy_id": "17", - "sophosxg.firewall.log_component": "ICMP ERROR MESSAGE", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00005", - "sophosxg.firewall.priority": "Notice", - "sophosxg.firewall.status": "Allow", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Interim", + "sophos.xg.connid": "2685668438", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "3", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "ICMP ERROR MESSAGE", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00005", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Allow", "source.bytes": 0, "source.ip": "192.168.1.254", "source.mac": "34:db:fd:83:d8:09", "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -917,19 +947,22 @@ "network" ], "event.code": "010101600001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 10000000000, + "event.end": "2020-06-05T12:39:03.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2020-06-05T12:38:53.000-02:00", "event.timezone": "-02:00", "event.type": [ "end", "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", @@ -954,26 +987,26 @@ "server.ip": "172.16.34.10", "server.packets": 6, "server.port": 88, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.connevent": "Stop", - "sophosxg.firewall.connid": "1617126256", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.hb_health": "NoHeartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "17", - "sophosxg.firewall.log_component": "Firewall Rule", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.status": "Allow", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617126256", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "NoHeartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", "source.bytes": 1802, "source.ip": "172.17.35.119", "source.mac": "00:00:00:00:00:00", @@ -981,7 +1014,7 @@ "source.packets": 6, "source.port": 61925, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1008,18 +1041,21 @@ "network" ], "event.code": "010202601001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T13:26:37.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-05-30T13:26:37.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1042,29 +1078,29 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 0, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": " Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Invalid Traffic", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message": "Invalid UDP destination.", - "sophosxg.firewall.message_id": "01001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Invalid Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message": "Invalid UDP destination.", + "sophos.xg.message_id": "01001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.32.19", "source.nat.port": 0, "source.packets": 0, "source.port": 1353, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1085,18 +1121,21 @@ "network" ], "event.code": "011402601301", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-04T17:20:24.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-06-04T17:20:24.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1119,28 +1158,28 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 0, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Fragmented Traffic", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "01301", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Fragmented Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "01301", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "0.0.0.0", "source.nat.port": 0, "source.packets": 0, "source.port": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1162,18 +1201,21 @@ "network" ], "event.code": "010302602002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:01:32.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-05-30T14:01:32.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1197,21 +1239,21 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 137, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Appliance Access", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "02002", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.38.184", "source.mac": "c8:5b:76:ab:72:d3", @@ -1219,7 +1261,7 @@ "source.packets": 0, "source.port": 137, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1242,18 +1284,21 @@ "network" ], "event.code": "010402403001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:17:17.000-02:00", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "4", + "event.start": "2018-05-30T14:17:17.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -1277,21 +1322,21 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 22, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": " Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "DoS Attack", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "03001", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.32.19", "source.mac": "b8:97:5a:5b:0f:fd", @@ -1299,7 +1344,7 @@ "source.packets": 0, "source.port": 41960, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1318,18 +1363,21 @@ "network" ], "event.code": "010502604001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-05T14:30:31.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-06-05T14:30:31.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1351,29 +1399,29 @@ "server.ip": "10.198.36.48", "server.nat.port": 0, "server.packets": 0, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": " Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.icmp_code": "1", - "sophosxg.firewall.icmp_type": "5", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "ICMP Redirection", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "04001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "5", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "ICMP Redirection", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "04001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.37.23", "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1401,18 +1449,21 @@ "network" ], "event.code": "010602605001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-31T17:05:14.000-02:00", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-05-31T17:05:14.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1435,28 +1486,28 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Source Routed", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "05001", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Source Routed", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.12.19", "source.nat.port": 0, "source.packets": 0, "source.port": 1571, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1478,18 +1529,21 @@ "network" ], "event.code": "011702605051", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T15:09:51.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-05-30T15:09:51.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1513,21 +1567,21 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 547, - "service.type": "sophosxg", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG125w", - "sophosxg.firewall.hb_health": "No Heartbeat", - "sophosxg.firewall.iap": "0", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "MAC Filter", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "05051", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "MAC Filter", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05051", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "fe80::59f5:3ce8:c98e:5062", "source.mac": "1e:3a:5a:5b:23:ab", @@ -1535,7 +1589,7 @@ "source.packets": 0, "source.port": 546, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1555,18 +1609,21 @@ "network" ], "event.code": "016602600006", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:57:55.000-02:00", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-06-01T10:57:55.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1589,31 +1646,31 @@ "server.ip": "10.198.32.19", "server.nat.port": 0, "server.packets": 0, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG310", - "sophosxg.firewall.hb_health": "Red", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.icmp_code": "0", - "sophosxg.firewall.icmp_type": "8", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Heartbeat", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00006", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00006", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.37.57", "source.mac": "08:00:27:4c:49:e3", "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -1643,18 +1700,21 @@ "network" ], "event.code": "016602600003", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:55:41.000-02:00", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event.outcome": "success", "event.severity": "6", + "event.start": "2018-06-01T10:55:41.000-02:00", "event.timezone": "-02:00", "event.type": [ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -1677,31 +1737,31 @@ "server.ip": "72.163.4.185", "server.nat.port": 0, "server.packets": 0, - "service.type": "sophosxg", - "sophosxg.firewall.app_is_cloud": "0", - "sophosxg.firewall.appfilter_policy_id": "0", - "sophosxg.firewall.application_risk": "0", - "sophosxg.firewall.appresolvedby": "Signature", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG310", - "sophosxg.firewall.hb_health": "Red", - "sophosxg.firewall.iap": "2", - "sophosxg.firewall.icmp_code": "0", - "sophosxg.firewall.icmp_type": "8", - "sophosxg.firewall.ips_policy_id": "0", - "sophosxg.firewall.log_component": "Heartbeat", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Firewall", - "sophosxg.firewall.message_id": "00003", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.status": "Deny", + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00003", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", "source.bytes": 0, "source.ip": "10.198.37.57", "source.mac": "08:00:27:4c:49:e3", "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log b/x-pack/filebeat/module/sophos/xg/test/idp.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/idp.log rename to x-pack/filebeat/module/sophos/xg/test/idp.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json similarity index 69% rename from x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index ef1fdf7973f..7caee4d72eb 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -11,9 +11,9 @@ "network" ], "event.code": "020804407002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", @@ -22,7 +22,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", @@ -41,22 +41,22 @@ "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", "server.ip": "172.16.68.20", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.category": "server-webapp", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "25", - "sophosxg.firewall.idp_policy_id": "7", - "sophosxg.firewall.log_component": "Signatures", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "IDP", - "sophosxg.firewall.message_id": "07002", - "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.rule_priority": "2", - "sophosxg.firewall.src_country_code": "ROU", - "sophosxg.firewall.target": "Server", + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "ROU", + "sophos.xg.target": "Server", "source.as.number": 28684, "source.as.organization.name": "Bestnet Service SRL", "source.geo.continent_name": "Europe", @@ -66,7 +66,7 @@ "source.ip": "89.40.182.58", "source.port": 41528, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -82,9 +82,9 @@ "network" ], "event.code": "020804407002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", @@ -93,7 +93,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", @@ -112,22 +112,22 @@ "rule.name": "PROTOCOL-DNS named version attempt", "server.ip": "172.16.66.155", "server.port": 53, - "service.type": "sophosxg", - "sophosxg.firewall.category": "protocol-dns", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "23", - "sophosxg.firewall.idp_policy_id": "7", - "sophosxg.firewall.log_component": "Signatures", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "IDP", - "sophosxg.firewall.message_id": "07002", - "sophosxg.firewall.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.rule_priority": "1", - "sophosxg.firewall.src_country_code": "CHN", - "sophosxg.firewall.target": "Server", + "service.type": "sophos", + "sophos.xg.category": "protocol-dns", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "23", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "CHN", + "sophos.xg.target": "Server", "source.as.number": 4808, "source.as.organization.name": "China Unicom Beijing Province Network", "source.geo.continent_name": "Asia", @@ -139,7 +139,7 @@ "source.ip": "117.50.11.192", "source.port": 58914, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -155,9 +155,9 @@ "network" ], "event.code": "020804407002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", @@ -166,7 +166,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", @@ -185,22 +185,22 @@ "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", "server.ip": "172.16.68.20", "server.port": 80, - "service.type": "sophosxg", - "sophosxg.firewall.category": "server-webapp", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "25", - "sophosxg.firewall.idp_policy_id": "7", - "sophosxg.firewall.log_component": "Signatures", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "IDP", - "sophosxg.firewall.message_id": "07002", - "sophosxg.firewall.platform": "Linux,Mac,Other,Unix,Windows", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.rule_priority": "2", - "sophosxg.firewall.src_country_code": "NLD", - "sophosxg.firewall.target": "Server", + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "Linux,Mac,Other,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "NLD", + "sophos.xg.target": "Server", "source.as.number": 1136, "source.as.organization.name": "KPN B.V.", "source.geo.continent_name": "Europe", @@ -210,7 +210,7 @@ "source.ip": "77.61.185.101", "source.port": 59476, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -226,9 +226,9 @@ "network" ], "event.code": "020703406001", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", @@ -237,7 +237,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -256,26 +256,26 @@ "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", "server.ip": "10.1.1.234", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.category": "Malware Communication", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG750", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.idp_policy_id": "1", - "sophosxg.firewall.log_component": "Anomaly", - "sophosxg.firewall.log_subtype": "Detect", - "sophosxg.firewall.log_type": "IDP", - "sophosxg.firewall.message_id": "06001", - "sophosxg.firewall.platform": "Windows", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.rule_priority": "1", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.target": "Server", + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Detect", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06001", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", "source.ip": "10.0.0.168", "source.port": 28938, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -291,9 +291,9 @@ "network" ], "event.code": "020704406002", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "event.outcome": "success", "event.severity": "4", @@ -302,7 +302,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", @@ -321,26 +321,26 @@ "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", "server.ip": "10.1.0.115", "server.port": 25, - "service.type": "sophosxg", - "sophosxg.firewall.category": "Malware Communication", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG750", - "sophosxg.firewall.dst_country_code": "R1", - "sophosxg.firewall.fw_rule_id": "2", - "sophosxg.firewall.idp_policy_id": "1", - "sophosxg.firewall.log_component": "Anomaly", - "sophosxg.firewall.log_subtype": "Drop", - "sophosxg.firewall.log_type": "IDP", - "sophosxg.firewall.message_id": "06002", - "sophosxg.firewall.platform": "Windows", - "sophosxg.firewall.priority": "Warning", - "sophosxg.firewall.rule_priority": "1", - "sophosxg.firewall.src_country_code": "R1", - "sophosxg.firewall.target": "Server", + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06002", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", "source.ip": "10.0.1.31", "source.port": 40140, "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log b/x-pack/filebeat/module/sophos/xg/test/sandbox.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log rename to x-pack/filebeat/module/sophos/xg/test/sandbox.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json similarity index 70% rename from x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index 19e1cf7ddae..ed32ee3f213 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -6,9 +6,9 @@ "network" ], "event.code": "138301618041", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", @@ -19,7 +19,7 @@ "connection" ], "file.size": 0, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -28,17 +28,17 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.log_component": "Mail", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18041", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "eligible", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -51,9 +51,9 @@ "network" ], "event.code": "138302218042", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "2", @@ -65,7 +65,7 @@ "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", "file.mime_type": "application/octet-stream", "file.size": 153006, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -83,21 +83,21 @@ "related.user": [ "jsmith@iview.com" ], - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.filename": "1.exe", - "sophosxg.firewall.log_component": "Mail", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18042", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.reason": "cached malicious", - "sophosxg.firewall.source": "jsmith@iview.com", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "1.exe", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "jsmith@iview.com", "source.ip": "10.198.47.112", "source.user.name": "jsmith@iview.com", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -108,9 +108,9 @@ "network" ], "event.code": "136501618041", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", @@ -121,7 +121,7 @@ "connection" ], "file.size": 0, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -130,17 +130,17 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Allowed", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18041", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "eligible", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -152,9 +152,9 @@ "network" ], "event.code": "136528618043", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "6", @@ -166,7 +166,7 @@ "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.mime_type": "application/octet-stream", "file.size": 153010, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -184,21 +184,21 @@ "related.user": [ "jsmith" ], - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.filename": "19.exe", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Pending", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18043", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "pending", - "sophosxg.firewall.source": "10.198.241.50", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Pending", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18043", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "pending", + "sophos.xg.source": "10.198.241.50", "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -211,9 +211,9 @@ "network" ], "event.code": "136502218042", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "event.outcome": "success", "event.severity": "2", @@ -225,7 +225,7 @@ "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.mime_type": "application/octet-stream", "file.size": 153010, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -243,21 +243,21 @@ "related.user": [ "jsmith" ], - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.filename": "19.exe", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18042", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.reason": "cloud malicious", - "sophosxg.firewall.source": "10.198.241.50", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cloud malicious", + "sophos.xg.source": "10.198.241.50", "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, @@ -270,9 +270,9 @@ "network" ], "event.code": "136502218042", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "event.outcome": "success", "event.severity": "2", @@ -284,7 +284,7 @@ "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", "file.mime_type": "application/pdf", "file.size": 1124, - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", @@ -299,20 +299,20 @@ "related.ip": [ "172.16.34.24" ], - "service.type": "sophosxg", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "CR750iNG-XP", - "sophosxg.firewall.filename": "SBTestFile1.pdf", - "sophosxg.firewall.log_component": "Web", - "sophosxg.firewall.log_subtype": "Denied", - "sophosxg.firewall.log_type": "Sandbox", - "sophosxg.firewall.message_id": "18042", - "sophosxg.firewall.priority": "Critical", - "sophosxg.firewall.reason": "cached malicious", - "sophosxg.firewall.source": "sophostest.com", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "SBTestFile1.pdf", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "sophostest.com", "source.ip": "172.16.34.24", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log b/x-pack/filebeat/module/sophos/xg/test/waf.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/waf.log rename to x-pack/filebeat/module/sophos/xg/test/waf.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json similarity index 72% rename from x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index b49dfde3ca4..fe6af644611 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -20,9 +20,9 @@ "network" ], "event.code": "075000617071", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "event.severity": "6", "event.timezone": "-02:00", @@ -30,7 +30,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "http.request.method": "POST", "http.version": "HTTP/1.1", @@ -47,19 +47,19 @@ ], "server.bytes": 5669, "server.ip": "185.8.209.207", - "service.type": "sophosxg", - "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.fw_rule_id": "79", - "sophosxg.firewall.host": "89.68.140.204", - "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_type": "WAF", - "sophosxg.firewall.message_id": "17071", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "sophosxg.firewall.responsetime": "11199", - "sophosxg.firewall.server": "webmail.elasticuser.com", + "service.type": "sophos", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "11199", + "sophos.xg.server": "webmail.elasticuser.com", "source.as.number": 6830, "source.as.organization.name": "Liberty Global B.V.", "source.bytes": 1419, @@ -72,7 +72,7 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.full": "/mapi/nspi/", @@ -99,9 +99,9 @@ "network" ], "event.code": "075000617071", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "event.severity": "6", "event.timezone": "-02:00", @@ -109,7 +109,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "http.request.method": "POST", "http.version": "HTTP/1.1", @@ -126,20 +126,20 @@ ], "server.bytes": 1357, "server.ip": "185.8.209.207", - "service.type": "sophosxg", - "sophosxg.firewall.contenttype": "application/mapi-http", - "sophosxg.firewall.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.fw_rule_id": "79", - "sophosxg.firewall.host": "89.68.140.204", - "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_type": "WAF", - "sophosxg.firewall.message_id": "17071", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", - "sophosxg.firewall.responsetime": "14086", - "sophosxg.firewall.server": "webmail.elasticuser.com", + "service.type": "sophos", + "sophos.xg.contenttype": "application/mapi-http", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "14086", + "sophos.xg.server": "webmail.elasticuser.com", "source.as.number": 6830, "source.as.organization.name": "Liberty Global B.V.", "source.bytes": 1774, @@ -152,7 +152,7 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.full": "/mapi/nspi/", @@ -170,9 +170,9 @@ "network" ], "event.code": "075000617071", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", @@ -181,7 +181,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "http.request.method": "GET", "http.version": "HTTP/1.1", @@ -201,25 +201,25 @@ ], "server.bytes": 726, "server.ip": "10.198.233.48", - "service.type": "sophosxg", - "sophosxg.firewall.contenttype": "text/html", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.extra": "No signature found", - "sophosxg.firewall.fw_rule_id": "3", - "sophosxg.firewall.host": "10.198.235.254", - "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_type": "WAF", - "sophosxg.firewall.message_id": "17071", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "Static URL Hardening", - "sophosxg.firewall.responsetime": "19310", - "sophosxg.firewall.server": "www.iviewtest.com:8989", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "No signature found", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Static URL Hardening", + "sophos.xg.responsetime": "19310", + "sophos.xg.server": "www.iviewtest.com:8989", "source.bytes": 510, "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.full": "/", @@ -237,9 +237,9 @@ "network" ], "event.code": "075000617071", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "event.outcome": "success", "event.severity": "6", @@ -248,7 +248,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "my_fancy_host", "http.request.method": "GET", "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", @@ -269,26 +269,26 @@ ], "server.bytes": 739, "server.ip": "10.198.233.48", - "service.type": "sophosxg", - "sophosxg.firewall.contenttype": "text/html", - "sophosxg.firewall.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.extra": "EICAR-AV-Test", - "sophosxg.firewall.fw_rule_id": "6", - "sophosxg.firewall.host": "10.198.235.254", - "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_type": "WAF", - "sophosxg.firewall.message_id": "17071", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "Antivirus", - "sophosxg.firewall.responsetime": "403214", - "sophosxg.firewall.server": "www.iviewtest.com:8990", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "EICAR-AV-Test", + "sophos.xg.fw_rule_id": "6", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Antivirus", + "sophos.xg.responsetime": "403214", + "sophos.xg.server": "www.iviewtest.com:8990", "source.bytes": 715, "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.full": "/download/eicarcom2.zip", @@ -312,9 +312,9 @@ "network" ], "event.code": "075000617071", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "alert", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "event.outcome": "success", "event.severity": "6", @@ -323,7 +323,7 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "some_other_host.local", "http.request.method": "GET", "http.version": "HTTP/1.0", @@ -340,19 +340,19 @@ ], "server.bytes": 5353, "server.ip": "216.167.51.72", - "service.type": "sophosxg", - "sophosxg.firewall.contenttype": "text/html", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "XG230", - "sophosxg.firewall.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", - "sophosxg.firewall.fw_rule_id": "3", - "sophosxg.firewall.host": "83.97.20.30", - "sophosxg.firewall.log_component": "Web Application Firewall", - "sophosxg.firewall.log_type": "WAF", - "sophosxg.firewall.message_id": "17071", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.reason": "WAF Anomaly", - "sophosxg.firewall.responsetime": "608", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "83.97.20.30", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "WAF Anomaly", + "sophos.xg.responsetime": "608", "source.as.number": 9009, "source.as.organization.name": "M247 Ltd", "source.bytes": 295, @@ -365,7 +365,7 @@ "source.geo.region_name": "Bucuresti", "source.ip": "83.97.20.30", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ], "url.full": "/" diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log b/x-pack/filebeat/module/sophos/xg/test/wifi.log similarity index 100% rename from x-pack/filebeat/module/sophosxg/firewall/test/wifi.log rename to x-pack/filebeat/module/sophos/xg/test/wifi.log diff --git a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json similarity index 56% rename from x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json rename to x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index 53bd653f02e..64aa8a24494 100644 --- a/x-pack/filebeat/module/sophosxg/firewall/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -2,14 +2,14 @@ { "@timestamp": "2017-02-01T14:17:35.000-02:00", "event.code": "106025618011", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -18,33 +18,33 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.ap": "A40024A636F7862", - "sophosxg.firewall.clients_conn_ssid": "2", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG115", - "sophosxg.firewall.log_component": "Wireless Protection", - "sophosxg.firewall.log_subtype": "Information", - "sophosxg.firewall.log_type": "Wireless Protection", - "sophosxg.firewall.message_id": "18011", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.ssid": "SPIDIGO2015", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "2", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] }, { "@timestamp": "2017-02-01T14:19:47.000-02:00", "event.code": "106025618011", - "event.dataset": "sophosxg.firewall", + "event.dataset": "sophos.xg", "event.kind": "event", - "event.module": "sophosxg", + "event.module": "sophos", "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "event.outcome": "success", "event.severity": "6", "event.timezone": "-02:00", - "fileset.name": "firewall", + "fileset.name": "xg", "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", @@ -53,19 +53,19 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", - "service.type": "sophosxg", - "sophosxg.firewall.ap": "A40024A636F7862", - "sophosxg.firewall.clients_conn_ssid": "3", - "sophosxg.firewall.device": "SFW", - "sophosxg.firewall.device_name": "SG115", - "sophosxg.firewall.log_component": "Wireless Protection", - "sophosxg.firewall.log_subtype": "Information", - "sophosxg.firewall.log_type": "Wireless Protection", - "sophosxg.firewall.message_id": "18011", - "sophosxg.firewall.priority": "Information", - "sophosxg.firewall.ssid": "SPIDIGO2015", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", "tags": [ - "sophosxg-firewall", + "sophos-xg", "forwarded" ] } diff --git a/x-pack/filebeat/module/sophosxg/fields.go b/x-pack/filebeat/module/sophosxg/fields.go deleted file mode 100644 index d564c5e5a31..00000000000 --- a/x-pack/filebeat/module/sophosxg/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package sophosxg - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "sophosxg", asset.ModuleFieldsPri, AssetSophosxg); err != nil { - panic(err) - } -} - -// AssetSophosxg returns asset data. -// This is the base64 encoded gzipped contents of module/sophosxg. -func AssetSophosxg() string { - return "eJzUnM1y4zYSx+/zFKjkMqnKeHf26MNWObZnx1XjiVaSkyMLAlsk1iDAAKBk+TTvsNfk5eZJtgB+mBRBkZZayezkZMv594+NRqPRAPWOPMLukhiVp8o8JW8IsdwKuCTf1b/67g0hMRimeW65kpfkn28IIc3/Qe5VXAh4Q8iag4jNpf/0HZE0g46u+2d3OVySRKsir34TUO4qtdXWXMOWCtF8EFJ0/zQIoAYuyQosbf0+hjUthI28gUuypsJA5+MATPmvfEqyVprkVBsukxcPmJ0RKrlo/f3+A7QfIoYNZ9D5qH6MR9htlY73PjtAVX7c0wvbpTZsNfDBiMkbaoG83e12u3dZ9i6OfyDbFCSxKRDYgLREMVZoDS9PEiSyPINnJRF9seQZkLdpeplll8aMYw07yzs1cj/g0d2rGASRRbYCTdTag00evRKI75s8AWcBmtMRniCLUAkqyIPkvxVA3v+DsJRqyixoQ5iKgbz9+3v33/sfxh3koBwDYjDtcnBuKWMHLpKLJgGVv5sGxVSWK7n/5yeRXdeSRIPJlTR8VeUmoZLE5SZP+6Gm1WWCngBrihWuExfFyv/vjSMPh1a6ilKgwqZ4BB+BarsCaomx1BbmMECuudLc7jCn2QacIhGwAeHnmabrNWfjI7IHfDLKg7A8c7m7FG6xkK9f/kuuhFBbiInS5AYkH0vfcaGpsxTkE0omr1xUCk1XXDhPtbjeGmBKxmZCBlhvIxfoQ6mJSwsJ6NdBNVNo7lb/uxuyTTlLCTeE5rngzlnlAjN5TAsDGnldCUsOW9+vlk40/y8n5/WJVZWDnEucLbICFwkjk45TRJw7aUFLsOSKMTCG5EpwtnNjNzJkYbTcRKUCalzdzRYnglVQuNl6ViL5hF1DWTUdiub5mgsL+hw+u3JAzKcc8sFbqV14jP/oi1rUYf4/AMYb8DZiJ4OM+gw3hR3Pobl5xOOYc/NYLdTUGJ7Ilwkw5P9RQgsslUqoBLGoWDaadeEewhtFY9RCojQiWHsguXH1qRIbiMlqR5w7qS00uALD7CRLtZL8GeJXsdeKq2/GmxE3EROqQNwR7XnxuqMeXqdk5HKUXlPM3sJdLek3F1wylbndRZWvfvTbjB/JTGlLrg7zqcKeH1AVNlFDgD9NqLc1i3i4FOn9egTsZ80TLqkgRhWaAbmbERrH2hUkgR3AIE1GGZ6z9pnur64PQR0EY6qQVu8it03H3NjGUE/BykK3pnzx5n5hOUgbG4s+qDEYy2U5Pw+P7EGsv8iJe/STSvRcK6uYEoi1ZqXYbkBNnRa50uF2ylF12v68cOoOZ3k9I1TG5OFmNg3NjemZ0NpjNoVvkJGzLEfeNdxd38+aJk/5w6StlSPBDX1vnFXxHyQZpDEgbZQ/2nC75fXtjKWyneZqTtkjWOPtjNNoYMA3EP8ZRLWtiT5a7SycC8lrd1005J7NnwDS80wQxmoqTeTSUn9BOW6dWTpFQS3EgfIhVOhMBcRNTn1Mn5kOAo5AIi7WLbqB5fpYT+Kn+QHWE9xpNHtWEs5zIlKNtjNQl9ifrj5PhsID+kyzfaBJldf5XNMevrZ/fm355xAVvm/2iUYwuI5ibhD7scuZX2ecMjD3Rxdkpkx5ZLWhogBz+fXL70onX7/88SP5+uV3DbnY1T98/fLH+IgyJWX/RO4k6tvywFg2ZTM3RKjE7cYTkKDdXJ0GhtoDrY5KeQzS8jUvFyv/+Gy8V7FBx7luLJO7m3rPkVFjQU+m4nF+/g77ycc2LUrczmeL0x+h8Au46P1yKn4469Z9N8xD+0XTzLu7mWo+M/tV2SnHqg1ABsYYmkzI/ExQY/gavYv+wnLAQriQLQRE+GfOs0rRb4OaWDo8Trmgdq10hkhRKdaJoYrWi8Mc+D1p54GX5nOtP4JhqU4AcUE5zhl+VcO8a3O1nPm1DWx74g7bz6OiwLR/K+NccWnJw8MU+zbVQC3yWdNyFtINJy9fWH47PeFWMffX9TSDZEIlXEaF6a3TJ46U1yUd3eGZglvTO/Pl5a+Obtj8E7DCn6nlFPP2kmeotUlHO8hBN+cpU+6p2FINxDAqpduJHlOeDFKvtcoiyCgXURV3iIszyBg08eokpB5OPOpcPHNwCQVcDgwzhRNRsfoPMMwNjre9Lxu07f7S8OdwNB1VnPcUw/sVrjFvv3m5CbcLPixnUaERTzo+LGfkYf7JR3k1V0qWLTUkVlspFI3HuoyOqtlC47Hd1JIu0TtQ3+Jag74kD7nj8rcBK8bDhGsuADdMFvy5Ocly6sSm1LqNpaVcQhwIkEEw3Kw8ozbtgFVMLjF2oQaBcNPzBwfhczE1RjHuW4lbbtOX2+8T/GRzprKMSsR6z4VUJeoW8bi8kv8S/mtVyJG4Qp2LJ8/DWGWUS9zRu/Gap3H9VlBNpeWYLUQf5m7k6oDtxPyLxRE0o1l0DrdVK3spPSGxx8aehWNeHhO9gkQDNZhZfO71yDbd+eHRwJSOy/ABC8wlA2qIyWn2t4wKzrgaS1Ea1qAxa/n5nmA4UnKaUeQVbpHTjFxNaES6ogRzq7unNzJrI+yY+HcjvR9uYdf7VwKQz+MX5XsGPdEggdqA1jyGyKpHQHTEz5Uu6esGOZj6hnr2jVNoYVOl+TPmnGw8ExAP74pccVhOUMSZsnxRbR0jXP3iN5sjDbLCF6mRW5CQb7VU5W9Zd47u/9scuKtLm2N8ZUmtzauXwmBwLr/+fkR9p+bjcjmrXzob84h/1eRPfs9kYm/5TG8K1vKk8IVJibiFleEWyJoKMbLo1rXeOcK53sNNDWh4YuDF8Hbgn7ixzcXEFNijcVZEEZf3w7ewalkdG0klLXrDrx7H8uakNzAxO+NO+SYvT3gVglm+4XaHC/ArrJpXVSoD5d47o5alrpqUMWHUb+ics6q/1WAKYUdGrhvk2BupdpBPaO+n9L0pEI+8Fh+v3lexXTRHPdxCRlbAZUKopGL3PLZhysAfaKK+ZH1fao4e17rCBNNu54rApMdGf+aRROfbvGfqry6m9Ff9RMBtUPl+0PhpQWxsuWdFnIKtY6Sbrvbww+O2Df3DL0bby61iFnWmdcvZwwxVcYCauTuCwz7Hb0CO51u/qD7ZKNew5k+oScYt1mTW1Q3nfG7hDC++LVyNd70ve9ALpljje+HJkkVXNzzzuQ9QqrEPCm8aYX8Dcbx6wex5lLf2pjR7cA+qH0aPp+sx9wUU/pDfO1kyNuTnOz0aGebCphETHPWG5lVhU3LdFR22ngFLqeQGsdbzAH3dwaqq9BTubLse1g1yaMiUBQl2qzTia9Nh2SCBUIyKhFrYUsTs+ymkOmwf3QGfQqojkYC7d70O6wYZlIg3oA1qKvi5rxm0LWGLbvtzXzNom+fotznuepLhUfd5KsrTneGMnuFWSZkISW1g2qWSiipVxiJXARWOU55yHEa3UUw739R3ov053ZKOYtDuPephR0ctXHqCMbitc7LoSYYtW6qt5QND/PpvAFz09A4sN1hvdM29GrmbHTbqsIylWdjo65+1rxc0u9iZTyqJFrfzX27n0eer+1vEUfbapNQmHe0gy4qyxyKPMtT4/smLkmw8zP31VsSn7+oNTC29wazoF129oE2X3fAsfmyrDcym8txlcB6//lxnHpIcqFvUI0cc1D29oM3fCtA7YzXvPdYJhkOiQevwZDXiktSVC1qcfZwtbheLvYvxp13h6UkOrw8R9gJBxsOqvLaNZ7fsAExZmWLUpt/89ma02bfSVLIUudL6yYtO6LUUufNmjLQW99XCFXcsIGJ5EbS5ForuJ9ARs06PfP/9SDDvjIUM02ypOOJfA/ovsIl4UaWjFrYnOeKK11ELl3LKUhFlkA21ao97295/2cN9VzVof60B8VyioxZ+Xk2lybi1EIPWSiNuEFvSZE97IEGW332BzVHrvgriccXRvgalAeiKjo0HJkJ7LF5HEWuVn4Oiq3twLDARmrGYYJ8pIbgZvJByzJ2mnmB4DcP/2rq+ZNDytZJrnhz6muUj1pWwaNA+mUOu9EDYH2G6pxe02rxNjWW2Lxi0u4SBlsERJjtag+UCYlrtyoXLIoNZ8HbUgvYwv9SZjniz7GSayH/DBe6DVtKtxn3Ik4S8+V8AAAD//9hwygA=" -} diff --git a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml b/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml deleted file mode 100644 index 78e83f1e2ee..00000000000 --- a/x-pack/filebeat/module/sophosxg/firewall/ingest/systemhealth.yml +++ /dev/null @@ -1,158 +0,0 @@ -description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -#TODO: Need to setup a different field naming convention, maybe "cpu.idle, cpu.system etc" -- set: - field: event.kind - value: event -- rename: - field: sophosxg.firewall.idle - target_field: sophosxg.firewall.idle_cpu - ignore_missing: true - if: "ctx.sophosxg?.firewall?.idle !=null" -- gsub: - field: sophosxg.firewall.idle_cpu - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' -- convert: - field: sophosxg.firewall.idle_cpu - target_field: sophosxg.firewall.idle_cpu - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.idle_cpu != null" -- rename: - field: sophosxg.firewall.system - target_field: sophosxg.firewall.system_cpu - ignore_missing: true - if: "ctx.sophosxg?.firewall?.system !=null" -- gsub: - field: sophosxg.firewall.system_cpu - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' -- convert: - field: sophosxg.firewall.system_cpu - target_field: sophosxg.firewall.system_cpu - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.system_cpu != null" -- rename: - field: sophosxg.firewall.user - target_field: sophosxg.firewall.user_cpu - ignore_missing: true - if: "ctx.sophosxg?.firewall?.user !=null" -- gsub: - field: sophosxg.firewall.user_cpu - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "CPU"' -- convert: - field: sophosxg.firewall.user_cpu - target_field: sophosxg.firewall.user_cpu - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.user_cpu != null" -- convert: - field: sophosxg.firewall.used - target_field: sophosxg.firewall.used - type: integer - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.used != null" -- convert: - field: sophosxg.firewall.total_memory - target_field: sophosxg.firewall.total_memory - type: integer - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.total_memory != null" -- convert: - field: sophosxg.firewall.free - target_field: sophosxg.firewall.free - type: integer - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.free != null" -- gsub: - field: sophosxg.firewall.Configuration - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' -- convert: - field: sophosxg.firewall.Configuration - target_field: sophosxg.firewall.configuration - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.Configuration != null" -- gsub: - field: sophosxg.firewall.Reports - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' -- convert: - field: sophosxg.firewall.Reports - target_field: sophosxg.firewall.Reports - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.Reports != null" -- gsub: - field: sophosxg.firewall.Temp - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' -- convert: - field: sophosxg.firewall.Temp - target_field: sophosxg.firewall.Temp - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.Temp != null" -- gsub: - field: sophosxg.firewall.Signature - pattern: "(.{1}$)" - replacement: "" - if: 'ctx.sophosxg?.firewall?.log_component == "Disk"' -- convert: - field: sophosxg.firewall.Signature - target_field: sophosxg.firewall.Signature - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.Signature != null" -- convert: - field: sophosxg.firewall.users - target_field: sophosxg.firewall.users - type: integer - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.users != null" -- convert: - field: sophosxg.firewall.transmittedkbits - target_field: sophosxg.firewall.transmittedkbits - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.transmittedkbits != null" -- convert: - field: sophosxg.firewall.receivedkbits - target_field: sophosxg.firewall.receivedkbits - type: float - ignore_failure: true - ignore_missing: true - if: "ctx.sophosxg?.firewall?.receivedkbits != null" - -############# -## Cleanup ## -############# -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/modules.d/sophosxg.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled similarity index 75% rename from x-pack/filebeat/modules.d/sophosxg.yml.disabled rename to x-pack/filebeat/modules.d/sophos.yml.disabled index 03e87f7b7c0..c870ebb4910 100644 --- a/x-pack/filebeat/modules.d/sophosxg.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -1,8 +1,8 @@ -# Module: sophosxg -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophosxg.html +# Module: sophos +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophos.html -- module: sophosxg - firewall: +- module: sophos + xg: enabled: true # Set which input to use between tcp, udp (default) or file. @@ -15,9 +15,9 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9005 - # firewall default hostanme + # firewall default hostname #var.default_host_name: firewall.localgroup.local - + # known firewalls #var.known_devices: # "device1_serialnumber": "a.host.local"