feat: add sophos, m365 and aws filters

Author: mjabascal10

backend/src/main/resources/config/liquibase/changelog/20240403003_adding_aix.xml

@@ -197,8 +197,8 @@ AS
     if ![dataType] {
 # The log destination is already identified by the agent so, don''t need an entry point
 #......................................................................#
-            
-            #......................................................................# 
+
+            #......................................................................#
             #Generating dataType field required by CurrelationRulesEngine
             mutate {
                 add_field => { "dataType" => "ibm-aix" }
@@ -225,7 +225,7 @@ AS
                     if [msg_all]{
                         #...................................................................#
                         #Checking that the message contains TTY= or PWD= or COMMAND= or USER=
-                        if (("TTY=" in [msg_all] and ";" in [msg_all]) or ("PWD=" in [msg_all] and ";" in [msg_all]) or ("USER=" in [msg_all] and ";" in [msg_all]) or 
+                        if (("TTY=" in [msg_all] and ";" in [msg_all]) or ("PWD=" in [msg_all] and ";" in [msg_all]) or ("USER=" in [msg_all] and ";" in [msg_all]) or
                         ("COMMAND=" in [msg_all] and ";" in [msg_all])){
                             #......................................................................#
                             #Using grok to parse msg_all
@@ -328,15 +328,15 @@ AS
                             }
                         }
                     }
-                    
+
                 }else{
                     grok {
                         match => {
                             "msg_init" => "%{WORD:eventType}: %{DATA:irrelevant}\[%{INT:PID}\] %{GREEDYDATA:msg}"
                         }
                     }
                 }
-               
+
             }
             #.....................................................................#
             #Generating dataSource field required by Correlation Engine

…0527001_update_filter_sophos_central.xml …0528001_insert_filter_sophos_central.xmlbackend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_sophos_central.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528001_insert_filter_sophos_central.xml backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_sophos_central.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528001_insert_filter_sophos_central.xml

@@ -1,17 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <databaseChangeLog
-    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
 
-    <changeSet id="20250527001" author="JocLRojas">
-
-        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+    <changeSet id="20250528001" author="JocLRojas">
+        <sql>
             <![CDATA[
-
-            UPDATE public.utm_logstash_filter
-            SET filter_version='1.0.0',
-	        logstash_filter='# Sophos_Central filter, version 1.0.0 using "SF syslog file guide 20.0"
+            INSERT INTO utm_logstash_filter (id, logstash_filter, filter_name, filter_group_id, system_owner, module_name, is_active, filter_version, data_type_id)
+            VALUES (1527, '# Sophos_Central filter using "SF syslog file guide 20.0", version 1.0.0
 
 # See: https://docs.sophos.com/nsg/sophos-firewall/20.0/pdf/sf-syslog-guide-20.0.pdf
 # and https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/TroubleshootingLogs/LogFileDetails/index.html#https-ftp-waf
@@ -61,9 +58,12 @@ pipeline:
       - rename:
           from:
             - log.sourceinfo
-          to: log.sourceInfo'
-	WHERE id=1527;
+          to: log.sourceInfo', 'sophos-central', null, true, 'SOPHOS', false, '1.0.0', 30);
+
+            INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation)
+            VALUES (1527, 52, 'PIPELINE_FILTER');
             ]]>
         </sql>
     </changeSet>
-</databaseChangeLog>
+
+</databaseChangeLog>

…gelog/20250527002_update_filter_m365.xml …gelog/20250528002_insert_filter_o365.xmlbackend/src/main/resources/config/liquibase/changelog/20250527002_update_filter_m365.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528002_insert_filter_o365.xml backend/src/main/resources/config/liquibase/changelog/20250527002_update_filter_m365.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528002_insert_filter_o365.xml

@@ -1,21 +1,20 @@
 <?xml version="1.0" encoding="utf-8"?>
 <databaseChangeLog
-    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
 
-    <changeSet id="20250527002" author="JocLRojas">
-
-        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+    <changeSet id="20250528002" author="JocLRojas">
+        <sql>
             <![CDATA[
+            INSERT INTO utm_logstash_filter (id, logstash_filter, filter_name, filter_group_id, system_owner, module_name, is_active, filter_version, data_type_id)
+            VALUES (1528, '# Microsoft 365 filter, version 1.0.0
 
-            UPDATE public.utm_logstash_filter
-            SET filter_version='1.0.0',
-	          logstash_filter='# Microsoft 365 filter, version 1.0.0
 # Based on Official documentation
 # See https://learn.microsoft.com/en-us/compliance/assurance/assurance-microsoft-365-audit-log-collection
 # https://learn.microsoft.com/es-es/office/office-365-management-api/aip-unified-audit-logs-best-practices
 # https://learn.microsoft.com/en-us/purview/audit-log-activities
+
 pipeline:
   - dataTypes:
       - o365
@@ -95,9 +94,12 @@ pipeline:
       # Removing unused fields
       - delete:
           fields:
-            - log.AppAccessContext'
-	WHERE id=1527;
+            - log.AppAccessContext', 'o365', null, true, 'O365', false, '1.0.0', 4);
+
+            INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation)
+            VALUES (1528, 54, 'PIPELINE_FILTER');
             ]]>
         </sql>
     </changeSet>
-</databaseChangeLog>
+
+</databaseChangeLog>

…ngelog/20250527003_update_filter_aws.xml …ngelog/20250528003_insert_filter_aws.xmlbackend/src/main/resources/config/liquibase/changelog/20250527003_update_filter_aws.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528003_insert_filter_aws.xml backend/src/main/resources/config/liquibase/changelog/20250527003_update_filter_aws.xml renamed to backend/src/main/resources/config/liquibase/changelog/20250528003_insert_filter_aws.xml

@@ -1,17 +1,15 @@
 <?xml version="1.0" encoding="utf-8"?>
 <databaseChangeLog
-    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
 
-    <changeSet id="20250527002" author="JocLRojas">
-
-        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+    <changeSet id="20250528003" author="JocLRojas">
+        <sql>
             <![CDATA[
 
-            UPDATE public.utm_logstash_filter
-            SET filter_version='1.0.0',
-	          logstash_filter='# AWS filter, version 1.0.0
+            INSERT INTO utm_logstash_filter (id, logstash_filter, filter_name, filter_group_id, system_owner, module_name, is_active, filter_version, data_type_id)
+            VALUES (1529, '# AWS filter, version 1.0.0
 
 pipeline:
   - dataTypes:
@@ -1523,9 +1521,12 @@ pipeline:
             - log.requestParameters
             - log.responseElements
             - log.userIdentity
-            - log.additionalEventData'
-	WHERE id=1527;
+            - log.additionalEventData', 'aws', null, true, 'AWS_IAM_USER', false, '1.0.0', 2);
+
+            INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation)
+            VALUES (1529, 53, 'PIPELINE_FILTER');
             ]]>
         </sql>
     </changeSet>
-</databaseChangeLog>
+
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/master.xml

@@ -218,10 +218,10 @@
 
     <include file="/config/liquibase/changelog/20250516001_udpate_sophos_name.xml" relativeToChangelogFile="false"/>
 
-    <include file="/config/liquibase/changelog/20250527001_update_filter_sophos_central.xml" relativeToChangelogFile="false"/>
+    <include file="/config/liquibase/changelog/20250528001_insert_filter_sophos_central.xml" relativeToChangelogFile="false"/>
 
-    <include file="/config/liquibase/changelog/20250527002_update_filter_m365.xml" relativeToChangelogFile="false"/>
+    <include file="/config/liquibase/changelog/20250528002_insert_filter_o365.xml" relativeToChangelogFile="false"/>
 
-    <include file="/config/liquibase/changelog/20250527003_update_filter_aws.xml" relativeToChangelogFile="false"/>
+    <include file="/config/liquibase/changelog/20250528003_insert_filter_aws.xml" relativeToChangelogFile="false"/>
 
 </databaseChangeLog>