diff --git a/content/en/observability_pipelines/packs/_index.md b/content/en/observability_pipelines/packs/_index.md index 153c931d69e..048dc28ac32 100644 --- a/content/en/observability_pipelines/packs/_index.md +++ b/content/en/observability_pipelines/packs/_index.md @@ -60,23 +60,30 @@ These packs are available: - [AWS CloudTrail][8] - [AWS Elastic Load Balancer Logs][9] - [AWS Network Load Balancer Logs][10] +- [AWS WAF][28] +- [Check Point][29] - [Cisco ASA][11] +- [Cisco Meraki][30] - [Cloudflare][12] +- [CrowdStrike FDR][31] - [F5][13] - [Fastly][14] - [Fortinet Firewall][15] - [HAProxy Ingress][16] +- [Infoblox][32] - [Istio Proxy][17] - [Juniper SRX Firewall Traffic Logs][18] - [Netskope][19] - [NGINX][20] - [Okta][21] - [Palo Alto Firewall][22] +- [SentinelOne Cloud Funnel EDR][33] - [Windows XML][23] - [ZScaler ZIA DNS][24] - [Zscaler ZIA Firewall][25] - [Zscaler ZIA Tunnel][26] - [Zscaler ZIA Web Logs][27] +- [Zscaler ZPA][34] ## Setup @@ -125,4 +132,11 @@ To set up packs: [24]: /observability_pipelines/packs/zscaler_zia_dns/ [25]: /observability_pipelines/packs/zscaler_zia_firewall/ [26]: /observability_pipelines/packs/zscaler_zia_tunnel/ -[27]: /observability_pipelines/packs/zscaler_zia_web_logs/ \ No newline at end of file +[27]: /observability_pipelines/packs/zscaler_zia_web_logs/ +[28]: /observability_pipelines/packs/aws_waf/ +[29]: /observability_pipelines/packs/checkpoint/ +[30]: /observability_pipelines/packs/cisco_meraki/ +[31]: /observability_pipelines/packs/crowdstrike/ +[32]: /observability_pipelines/packs/infoblox/ +[33]: /observability_pipelines/packs/sentinel_one/ +[34]: /observability_pipelines/packs/zscaler_zpa/ \ No newline at end of file diff --git a/content/en/observability_pipelines/packs/aws_waf.md b/content/en/observability_pipelines/packs/aws_waf.md new file mode 100644 index 00000000000..4d2991e5211 --- /dev/null +++ b/content/en/observability_pipelines/packs/aws_waf.md @@ -0,0 +1,20 @@ +--- +title: AWS WAF +description: Learn more about the AWS WAF pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/aws_waf.png" alt="The AWS WAF pack" style="width:25%;" >}} + +AWS WAF captures AWS WAF logs from CloudWatch, S3, or Firehose. + +What this pack does: + +- Extracts metrics by action and terminating rule +- Optionally, drops and samples `ALLOW` logs +- Drops unused fields, null fields, and redacts credentials + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/checkpoint.md b/content/en/observability_pipelines/packs/checkpoint.md new file mode 100644 index 00000000000..51aa612b859 --- /dev/null +++ b/content/en/observability_pipelines/packs/checkpoint.md @@ -0,0 +1,20 @@ +--- +title: Check Point +description: Learn more about the Check Point pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/checkpoint.png" alt="The Check Point pack" style="width:25%;" >}} + +Processes Check Point logs in CEF format, with or without syslog prefix. + +What this pack does: + +- Parses and renames fields +- Generates metrics by severity and by event name +- Drops `Accept` traffic; samples low-severity events + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/cisco_meraki.md b/content/en/observability_pipelines/packs/cisco_meraki.md new file mode 100644 index 00000000000..fa7e19f399a --- /dev/null +++ b/content/en/observability_pipelines/packs/cisco_meraki.md @@ -0,0 +1,20 @@ +--- +title: Cisco Meraki +description: Learn more about the Cisco Meraki pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/cisco_meraki.png" alt="The Cisco Meraki pack" style="width:25%;" >}} + +Cisco Meraki captures appliance events, flows, VPN firewall, NAT flows, and URL activity. + +What this pack does: + +- Parses syslog to structured fields +- Extracts log-type, flow action, and transport metrics +- Normalizes attributes and samples high-volume events + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/crowdstrike.md b/content/en/observability_pipelines/packs/crowdstrike.md new file mode 100644 index 00000000000..ef7409143b9 --- /dev/null +++ b/content/en/observability_pipelines/packs/crowdstrike.md @@ -0,0 +1,20 @@ +--- +title: CrowdStrike FDR +description: Learn more about the CrowdStrike FDR pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/crowdstrike.png" alt="The CrowdStrike FDR pack" style="width:25%;" >}} + +Falcon Data Replicator (FDR) provides endpoint detection and response. + +What this pack does: + +- Drops high-volume, low-signal operational events +- Drops sensor health and telemetry-only events +- Drops benign process execution events + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/infoblox.md b/content/en/observability_pipelines/packs/infoblox.md new file mode 100644 index 00000000000..bfe2ce2391a --- /dev/null +++ b/content/en/observability_pipelines/packs/infoblox.md @@ -0,0 +1,20 @@ +--- +title: Infoblox +description: Learn more about the Infoblox pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/infoblox.png" alt="The Infoblox pack" style="width:25%;" >}} + +Infoblox NIOS syslog captures DNS, DHCP, audit, and CEF activity from appliances. + +What this pack does: + +- Parses logs into structured fields +- Extracts DNS response code and DHCP event metrics +- Normalizes request data and samples high-volume events + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/sentinel_one.md b/content/en/observability_pipelines/packs/sentinel_one.md new file mode 100644 index 00000000000..68782a77fb2 --- /dev/null +++ b/content/en/observability_pipelines/packs/sentinel_one.md @@ -0,0 +1,20 @@ +--- +title: SentinelOne Cloud Funnel EDR +description: Learn more about the SentinelOne Cloud Funnel EDR pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/sentinel_one.png" alt="The SentinelOne Cloud Funnel EDR pack" style="width:25%;" >}} + +SentinelOne Cloud Funnel streams EDR and Deep Visibility events as JSON to cloud storage. + +What this pack does: + +- Drops low-value types +- Removes unused fields per event type (DNS, File, Process, Network, Registry, and so on) +- Optionally, remove counter field + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/observability_pipelines/packs/zscaler_zpa.md b/content/en/observability_pipelines/packs/zscaler_zpa.md new file mode 100644 index 00000000000..d2232e5f062 --- /dev/null +++ b/content/en/observability_pipelines/packs/zscaler_zpa.md @@ -0,0 +1,20 @@ +--- +title: Zscaler ZPA +description: Learn more about the Zscaler ZPA pack. +--- + +## Overview + +{{< img src="observability_pipelines/packs/zscaler_zpa.png" alt="The Zscaler ZPA pack" style="width:25%;" >}} + +Zscaler Private Access captures private app access, sessions, and connections. + +What this pack does: + +- Normalizes ZPA fields, drops null and empty fields, maps key fields +- Samples successful and Browser Access traffic +- Tags failed or blocked connections + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} diff --git a/static/images/observability_pipelines/packs/aws_waf.png b/static/images/observability_pipelines/packs/aws_waf.png new file mode 100644 index 00000000000..00755b8b5d1 Binary files /dev/null and b/static/images/observability_pipelines/packs/aws_waf.png differ diff --git a/static/images/observability_pipelines/packs/checkpoint.png b/static/images/observability_pipelines/packs/checkpoint.png new file mode 100644 index 00000000000..8a7dd82c379 Binary files /dev/null and b/static/images/observability_pipelines/packs/checkpoint.png differ diff --git a/static/images/observability_pipelines/packs/cisco_meraki.png b/static/images/observability_pipelines/packs/cisco_meraki.png new file mode 100644 index 00000000000..4eff23155bc Binary files /dev/null and b/static/images/observability_pipelines/packs/cisco_meraki.png differ diff --git a/static/images/observability_pipelines/packs/crowdstrike.png b/static/images/observability_pipelines/packs/crowdstrike.png new file mode 100644 index 00000000000..6629703a874 Binary files /dev/null and b/static/images/observability_pipelines/packs/crowdstrike.png differ diff --git a/static/images/observability_pipelines/packs/infoblox.png b/static/images/observability_pipelines/packs/infoblox.png new file mode 100644 index 00000000000..43930847f01 Binary files /dev/null and b/static/images/observability_pipelines/packs/infoblox.png differ diff --git a/static/images/observability_pipelines/packs/sentinel_one.png b/static/images/observability_pipelines/packs/sentinel_one.png new file mode 100644 index 00000000000..e39dcc2944c Binary files /dev/null and b/static/images/observability_pipelines/packs/sentinel_one.png differ diff --git a/static/images/observability_pipelines/packs/zscaler_zpa.png b/static/images/observability_pipelines/packs/zscaler_zpa.png new file mode 100644 index 00000000000..fff037df1b8 Binary files /dev/null and b/static/images/observability_pipelines/packs/zscaler_zpa.png differ