Merge remote-tracking branch 'origin/release/v10.8.1' into release/v10.8.1

mjabascal10 · mjabascal10 · commit b086bce4f8b2 · 2025-05-16T17:53:50.000-05:00
diff --git a/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java b/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java
@@ -45,7 +45,9 @@ public List<CoordinateMapChartResult> parse(UtmVisualization visualization, Sear
 
             if (bucket != null) {
                 List<BucketAggregation> entries = TermAggregateParser.parse(result.aggregations().get(bucket.getId()));
-                entries = entries.stream().filter(e -> StringUtils.hasText(e.getKey())).collect(Collectors.toList());
+                entries = entries.stream().filter(e -> isValidIP(e.getKey()))
+                        .collect(Collectors.toList());
+
 
                 for (BucketAggregation entry : entries) {
                     GeoIp ipV4Info;
@@ -88,4 +90,25 @@ public List<CoordinateMapChartResult> parse(UtmVisualization visualization, Sear
             throw new RuntimeException(ctx + ": " + e.getMessage());
         }
     }
+
+    public static boolean isValidIP(String ip) {
+        return isValidIPv4(ip) || isValidIPv6(ip);
+    }
+
+
+    public static boolean isValidIPv4(String ip) {
+        if (ip == null || ip.isEmpty()) return false;
+        String regex =
+                "^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)(\\.|$)){4}$";
+        return ip.matches(regex);
+    }
+
+    public static boolean isValidIPv6(String ip) {
+        if (ip == null || ip.isEmpty()) return false;
+        String regex =
+                "^(?:[\\da-fA-F]{1,4}:){7}[\\da-fA-F]{1,4}$";
+        return ip.matches(regex);
+    }
+
+
 }
diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml
@@ -12,9 +12,21 @@
 
 # Sophos_Central version 1.0.0
 
-     split {
-      field => "message"
-      terminator => "<utm-log-separator>"
+    json {
+        source => "message"
+    }
+
+    if ([dataType] == "sophos-central") {
+
+        mutate {
+            rename => { "[logx][sophos_central][source_info][ip]" => "[logx][sophos_central][source_ip]"}
+            rename => { "[logx][sophos_central][when]" => "[logx][sophos_central][timestamp_occurred_at]"}
+            rename => { "[logx][sophos_central][created_at]" => "[logx][sophos_central][timestamp_generated_at]"}
+        }
+
+        mutate {
+            remove_field => ["headers", "@version", "global", "[logx][sophos_central][core_remedy_items][totalItems]"]
+        }
     }
 }', 'sophos-central', null, true, 'SOPHOS', false, '2.0.1');
             ]]>
@@ -25,7 +37,7 @@
 
 
             INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp)
-            VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null);
+            VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'SOPHOS', true, null, false, 0, 0, 0, 0, 0, null, null, null);
 
             INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation)
             VALUES (1527, 56, 'PIPELINE_FILTER');
diff --git a/backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml b/backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20250515001" author="JocLRojas">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE public.utm_logstash_filter
+            SET filter_version='2.0.0',
+	        logstash_filter='filter {
+
+# Amazon Web Service version 2.0.0
+
+    json {
+        source => "message"
+        target => "parsed_message"
+    }
+
+    if ([parsed_message][logx][type] == "aws") {
+        mutate {
+            add_field => {
+                "dataType" => "aws"
+                "dataSource" => "%{[parsed_message][logx][tenant]}"
+            }
+        }
+
+        json {
+            source => "[parsed_message][logx][aws][message]"
+            target => "[logx][aws]"
+        }
+
+        mutate {
+            rename => { "[logx][aws][eventVersion]" => "[logx][aws][eventVersion]"}
+            rename => { "[logx][aws][userIdentity][accountId]" => "[logx][aws][accountId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][attributes][creationDate]" => "[logx][aws][creationDate]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][accountId]" => "[logx][aws][sessionIssuerAccountId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][arn]" => "[logx][aws][sessionIssuerArn]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][principalId]" => "[logx][aws][sessionIssuerPrincipalId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][type]" => "[logx][aws][sessionIssuerType]"}
+            rename => { "[logx][aws][additionalEventData][SignatureVersion]" => "[logx][aws][SignatureVersion]"}
+            rename => { "[logx][aws][additionalEventData][x-amz-id-2]" => "[logx][aws][xamzId2]"}
+            rename => { "[logx][aws][responseElements][x-amz-expiration]" => "[logx][aws][xAmzExpiration]"}
+        }
+
+		mutate {
+            remove_field => ["headers", "parsed_message", "@version"]
+        }
+    }
+}'
+	WHERE id=101;
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>
diff --git a/backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml b/backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20250515003" author="JocLRojas">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE public.utm_logstash_filter
+            SET filter_version='2.0.0',
+	        logstash_filter='filter {
+
+# Office 365 version 2.0.0
+
+  	json {
+        source => "message"
+    }
+
+    if ([dataType] == "o365") {
+
+        mutate {
+            rename => {"[logx][tenant]" => "[logx][o365][tenant]"}
+        }
+
+        mutate {
+            remove_field => ["headers", "@version", "global"]
+        }
+    }
+}'
+	WHERE id=601;
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>
diff --git a/backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml b/backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20250516001" author="Manuel">
+        <sql>
+                UPDATE utm_module
+                set pretty_name = 'Sophos Firewall'
+                WHERE id = 30;
+        </sql>
+    </changeSet>
+
+</databaseChangeLog>
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
@@ -97,5 +97,11 @@
 
     <include file="/config/liquibase/changelog/20250507003_add_o365_pipeline.xml" relativeToChangelogFile="false"/>
 
+    <include file="/config/liquibase/changelog/20250515001_update_filter_aws.xml" relativeToChangelogFile="false"/>
+
+    <include file="/config/liquibase/changelog/20250515003_update_filter_o365.xml" relativeToChangelogFile="false"/>
+
+    <include file="/config/liquibase/changelog/20250516001_udpate_sophos_name.xml" relativeToChangelogFile="false"/>
+
 
 </databaseChangeLog>
diff --git a/filters/aws/aws.conf b/filters/aws/aws.conf
@@ -1,68 +1,40 @@
 filter {
-    if ([logx][type] and [logx][type] == "aws") {
+
+# Amazon Web Service version 2.0.0
+
+    json {
+        source => "message"
+        target => "parsed_message"
+    }
+
+    if ([parsed_message][logx][type] == "aws") {
         mutate {
             add_field => {
                 "dataType" => "aws"
-            }
-            add_field => {
-                "dataSource" => "aws"
+                "dataSource" => "%{[parsed_message][logx][tenant]}"
             }
         }
 
-	if [logx][aws][message] {
-		
-		 grok {
-            match => {"[logx][aws][message]" => "%{GREEDYDATA:b} %{IP:src_ip} %{IP:dest_ip} %{BASE10NUM:src_port} %{BASE10NUM:dest_port} %{GREEDYDATA:a} %{GREEDYDATA:c} %{WORD:action} %{GREEDYDATA:message_text}"}
-		}
-		
-		if [message_text] {
-			mutate {
-				rename => {
-					"message_text" => "[logx][aws][details][message_text]"
-                }
-            }
-         }
-		if [action] {
-			mutate {
-				rename => {
-					"action" => "[logx][aws][details][action]"
-                }
-            }
-         }
-		if [src_port] {
-			mutate {
-				rename => {
-					"src_port" => "[logx][aws][details][src_port]"
-                }
-            }
-         }
-		if [dest_ip] {
-			mutate {
-				rename => {
-					"dest_ip" => "[logx][aws][details][dest_ip]"
-                }
-            }
-         }
-		if [src_ip] {
-			mutate {
-				rename => {
-					"src_ip" => "[logx][aws][details][src_ip]"
-                }
-            }
-         }
-        if [dest_port] {
-			mutate {
-				rename => {
-					"dest_port" => "[logx][aws][details][dest_port]"
-                }
-            }
-         }
-		 
-	}
-
+        json {
+            source => "[parsed_message][logx][aws][message]"
+            target => "[logx][aws]"
+        }
 
         mutate {
-            remove_field => ["headers", "[logx][type]", "@version", "global", "es_metadata_id","a","b","c"]
+            rename => { "[logx][aws][eventVersion]" => "[logx][aws][eventVersion]"}
+            rename => { "[logx][aws][userIdentity][accountId]" => "[logx][aws][accountId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][attributes][creationDate]" => "[logx][aws][creationDate]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][accountId]" => "[logx][aws][sessionIssuerAccountId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][arn]" => "[logx][aws][sessionIssuerArn]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][principalId]" => "[logx][aws][sessionIssuerPrincipalId]"}
+            rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][type]" => "[logx][aws][sessionIssuerType]"}
+            rename => { "[logx][aws][additionalEventData][SignatureVersion]" => "[logx][aws][SignatureVersion]"}
+            rename => { "[logx][aws][additionalEventData][x-amz-id-2]" => "[logx][aws][xamzId2]"}
+            rename => { "[logx][aws][responseElements][x-amz-expiration]" => "[logx][aws][xAmzExpiration]"}
+        }
+
+		mutate {
+            remove_field => ["headers", "parsed_message", "@version"]
         }
     }
-}
+}
diff --git a/filters/office365/o365-all.conf b/filters/office365/o365-all.conf
@@ -1,17 +1,19 @@
 filter {
-    if [logx][type] and [logx][type] == "o365" {
+
+# Office 365 version 2.0.0
+
+  	json {
+        source => "message"
+    }
+
+    if ([dataType] == "o365") {
+
         mutate {
-            add_field => {
-                "dataType" => "o365"
-            }
-            add_field => {
-                "dataSource" => "o365"
-            }
+            rename => {"[logx][tenant]" => "[logx][o365][tenant]"}
         }
 
         mutate {
-            remove_field => ["headers", "[logx][type]", "@version", "global", "es_metadata_id"]
+            remove_field => ["headers", "@version", "global"]
         }
-
     }
 }
diff --git a/filters/sophos/sophos_central.conf b/filters/sophos/sophos_central.conf
@@ -0,0 +1,21 @@
+filter {
+
+# Sophos_Central version 1.0.0
+
+    json {
+        source => "message"
+    }
+
+    if ([dataType] == "sophos-central") {
+
+        mutate {
+            rename => { "[logx][sophos_central][source_info][ip]" => "[logx][sophos_central][source_ip]"}
+            rename => { "[logx][sophos_central][when]" => "[logx][sophos_central][timestamp_occurred_at]"}
+            rename => { "[logx][sophos_central][created_at]" => "[logx][sophos_central][timestamp_generated_at]"}
+        }
+
+        mutate {
+            remove_field => ["headers", "@version", "global", "[logx][sophos_central][core_remedy_items][totalItems]"]
+        }
+    }
+}
