diff --git a/.github/workflows/v11-deployment-pipeline.yml b/.github/workflows/v11-deployment-pipeline.yml index 8ac8a5e94..65d09e245 100644 --- a/.github/workflows/v11-deployment-pipeline.yml +++ b/.github/workflows/v11-deployment-pipeline.yml @@ -522,7 +522,7 @@ jobs: -H "Content-Type: application/json" \ -H "id: $auth_id" \ -H "key: $auth_key" \ - -d "{\"instance_id\": \"$instance_id\", \"version\": \"$TAG\"}") + -d "{\"instances_ids\": [\"$instance_id\"], \"version\": \"$TAG\"}") http_code=$(echo "$response" | tail -n1) body=$(echo "$response" | sed '$d') diff --git a/README.md b/README.md index 3020fdfd9..553f1624f 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,32 @@ -

-
- UTMStack -

+# UTMStack

- - - - - - + + UTMStack +

-

Enterprise-ready SIEM and XDR powered by Real-Time correlation and Threat Intelligence

+[![Contributors](https://img.shields.io/github/contributors-anon/utmstack/utmstack)](https://github.com/utmstack/UTMStack/graphs/contributors) +[![Release](https://img.shields.io/github/release/utmstack/utmstack)](https://github.com/utmstack/UTMStack/releases/) +[![Issues](https://img.shields.io/github/issues-raw/utmstack/utmstack)](https://github.com/utmstack/UTMStack/issues) +[![Commit Activity](https://img.shields.io/github/commit-activity/m/utmstack/utmstack)](https://github.com/utmstack/UTMStack/commits/main) +[![License](https://img.shields.io/github/license/ad-aures/castopod?color=blue)](https://github.com/utmstack/UTMStack/blob/master/LICENSE) +[![Discord](https://img.shields.io/discord/1154016563775672400.svg?logo=discord)](https://discord.gg/ZznvZ8xcHh) -## Introduction +#### Enterprise-ready SIEM and XDR powered by Real-Time correlation and Threat Intelligence -Welcome to the UTMStack open-source project! UTMStack is a unified threat management platform that merges SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) technologies. Our unique approach allows real-time correlation of log data, threat intelligence, and malware activity patterns from multiple sources, enabling the identification and halting of complex threats that use stealthy techniques. Visit an [online demo here.](https://utmstack.com/demo) +## Introduction -We have a [dedicated repository](https://github.com/utmstack/rules) for correlation rules, contributors are welcome to submit a pull request. +Welcome to the UTMStack open-source project! UTMStack is a unified threat management platform that merges SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) technologies. Our unique approach allows real-time correlation of log data, threat intelligence, and malware activity patterns from multiple sources, enabling the identification and halting of complex threats that use stealthy techniques. Visit an [online demo here.](https://utmstack.com/demo) -

-UTMStack UTMStack

+

+ + UTMStack + + + UTMStack + +

## Features @@ -33,7 +38,6 @@ We have a [dedicated repository](https://github.com/utmstack/rules) for correla - SOC AI-Powered Analysis - Security Compliance - ## Why UTMStack? UTMStack stands out in threat prevention by surpassing the boundaries of traditional systems. Our software platform can swiftly analyze log data to identify and halt threats at their source in real-time, even if the threat was not directly detected on the server itself. This seamless integration of SIEM and XDR capabilities sets UTMStack apart from competitors, providing organizations with an effective, holistic cybersecurity suite that enhances threat detection, response, and remediation across clients’ valuable digital infrastructure. Correlation happens before data ingestion, reducing workload and improving response times. @@ -80,7 +84,7 @@ Definitions: - Cold log storage: archived data that should be restored before accessing it. - Data source: any individual source of logs, for example, devices, agents, SaaS integrations. -Resources needed for one month of hot log storage. +Required resources for one month of hot log storage. - For 50 data sources (120 GB) of hot log storage you will need 4 Cores, 16 GB RAM, 150 GB Disk Space - For 120 data sources (250 GB) of hot log storage you will need 8 Cores, 16 GB RAM, 250 GB Disk Space - For 240 data sources (500 GB) of hot log storage you will need 16 Cores, 32 GB RAM, 500 GB Disk Space @@ -109,16 +113,16 @@ Once UTMStack is installed, use admin as the user and the password generated dur Note: Use HTTPS in front of your server name or IP to access the login page. ### Required ports -- 22/TCP Secure Shell (We recommend to create a firewall rule to allow it only from admin workstation) -- 80/TCP UTMStack Web-based Graphical User Interface Redirector (We recommend to create a firewall rule to allow it only from admin and security analyst workstations) -- 443/TCP UTMStack Web-based Graphical User Interface (We recommend to create a firewall rule to allow it only from admin and security analyst workstations) -- 9090/TCP Cockpit Web-based Graphical Interface for Servers (We recommend to create a firewall rule to allow it only from admin workstation) -- Others ports will be required during the configuration of UTMStack's integrations in order to receive logs. (Please follow the security recommendations given on the integration guide if exists) +- 22/TCP Secure Shell (We recommend creating a firewall rule to allow it only from admins workstations) +- 80/TCP UTMStack Web-based Graphical User Interface Redirector (We recommend creating a firewall rule to allow it only from admin and security analyst workstations) +- 443/TCP UTMStack Web-based Graphical User Interface (We recommend creating a firewall rule to allow it only from admin and security analyst workstations) +- 9090/TCP Cockpit Web-based Graphical Interface for Servers (We recommend creating a firewall rule to allow it only from admin workstation) +- Others ports will be required during the configuration of UTMStack's integrations to receive logs. (Please follow the security recommendations given on the integration guide if exists) # FAQ - Is this based on Grafana, Kibana, or a similar reporting tool? Answer: It is not. UTMStack has been built from the ground up to be a simple and intuitive SIEM/XDR. - Does UTMStack use ELK for log correlation? Answer: It does not. UTMStack correlation engine was built from scratch to analyze data before ingestion and maximize real-time correlation. -- What is the difference between the Open Source and Enterprise version? +- What is the difference between the Open Source and Enterprise versions? The enterprise version includes features that would typically benefit enterprises and MSPs. For example, support, faster correlation, frequent threat intelligence updates, and Artificial Intelligence. diff --git a/agent/updater/utils/download.go b/agent/updater/utils/download.go index abc0fd120..b8c223447 100644 --- a/agent/updater/utils/download.go +++ b/agent/updater/utils/download.go @@ -18,11 +18,12 @@ func DownloadFile(url string, headers map[string]string, fileName string, path s req.Header.Add(key, value) } - client := &http.Client{} - client.Transport = &http.Transport{ + tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTlsVerification}, DisableCompression: true, } + client := &http.Client{Transport: tr} + defer tr.CloseIdleConnections() resp, err := client.Do(req) if err != nil { diff --git a/agent/utils/download.go b/agent/utils/download.go index db558f2b7..b8c223447 100644 --- a/agent/utils/download.go +++ b/agent/utils/download.go @@ -18,11 +18,12 @@ func DownloadFile(url string, headers map[string]string, fileName string, path s req.Header.Add(key, value) } - client := &http.Client{} - client.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTlsVerification}, + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTlsVerification}, DisableCompression: true, } + client := &http.Client{Transport: tr} + defer tr.CloseIdleConnections() resp, err := client.Do(req) if err != nil { diff --git a/agent/utils/req.go b/agent/utils/req.go index d0ed278dd..a7d0dfa5d 100644 --- a/agent/utils/req.go +++ b/agent/utils/req.go @@ -21,10 +21,11 @@ func DoReq[response any](url string, data []byte, method string, headers map[str req.Header.Add(k, v) } - client := &http.Client{} - client.Transport = &http.Transport{ + tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTlsVerification}, } + client := &http.Client{Transport: tr} + defer tr.CloseIdleConnections() resp, err := client.Do(req) if err != nil { diff --git a/agent/version.json b/agent/version.json index 6bbff213a..685be4c14 100644 --- a/agent/version.json +++ b/agent/version.json @@ -1,4 +1,4 @@ { - "version": "11.1.1", - "updater_version": "1.0.0" + "version": "11.1.3", + "updater_version": "1.0.2" } diff --git a/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java b/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java index dd1414d6d..f3fcba61e 100644 --- a/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java +++ b/backend/src/main/java/com/park/utmstack/config/OpenApiConfiguration.java @@ -34,7 +34,7 @@ public OpenAPI customOpenAPI() { .addList(securitySchemeApiInternalKey) .addList(securitySchemeApiKey)) .components(new Components() - .addSecuritySchemes(securitySchemeBearer, + /*.addSecuritySchemes(securitySchemeBearer, new SecurityScheme() .name(securitySchemeBearer) .type(SecurityScheme.Type.HTTP) @@ -43,7 +43,7 @@ public OpenAPI customOpenAPI() { .addSecuritySchemes(securitySchemeApiInternalKey, new SecurityScheme() .name("Utm-Internal-Key") .type(SecurityScheme.Type.APIKEY) - .in(SecurityScheme.In.HEADER)) + .in(SecurityScheme.In.HEADER))*/ .addSecuritySchemes(securitySchemeApiKey, new SecurityScheme() .name(Constants.API_KEY_HEADER) .type(SecurityScheme.Type.APIKEY) diff --git a/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java b/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java index 5af8523ff..b08dc1764 100644 --- a/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java +++ b/backend/src/main/java/com/park/utmstack/config/RestTemplateConfiguration.java @@ -5,6 +5,7 @@ import org.apache.http.conn.ssl.TrustStrategy; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; +import org.jetbrains.annotations.NotNull; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Bean; @@ -44,7 +45,7 @@ public RestTemplate rawRestTemplate() { RestTemplate rest = new RestTemplate(); rest.setErrorHandler(new DefaultResponseErrorHandler() { @Override - public boolean hasError(ClientHttpResponse response) { + public boolean hasError(@NotNull ClientHttpResponse response) { return false; } }); diff --git a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java index 63811ffdd..7efc54cb9 100644 --- a/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java +++ b/backend/src/main/java/com/park/utmstack/domain/application_modules/validators/impl/ModuleConfigurationValidator.java @@ -32,7 +32,7 @@ public boolean isValid(GroupConfigurationDTO dto, ConstraintValidatorContext con return module.validateConfiguration(utmModule, dto.getKeys()); } catch (Exception e) { context.disableDefaultConstraintViolation(); - context.buildConstraintViolationWithTemplate("Invalid configuration for selected module.") + context.buildConstraintViolationWithTemplate(e.getMessage()) .addPropertyNode("keys") .addConstraintViolation(); return false; diff --git a/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java b/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java index 4cf0c3c0f..47be50866 100644 --- a/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java +++ b/backend/src/main/java/com/park/utmstack/repository/datainput_ingestion/UtmDataInputStatusRepository.java @@ -47,9 +47,19 @@ public interface UtmDataInputStatusRepository extends JpaRepository findDataSourcesToConfigure(@Param("dataType") String dataType); + + Optional findByDataType(String dataType); Optional findBySourceAndDataType(String source, String dataType); diff --git a/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java b/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java index f21e5a1c9..7bbd975f6 100644 --- a/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java +++ b/backend/src/main/java/com/park/utmstack/service/UtmDataInputStatusService.java @@ -485,14 +485,14 @@ private Map getLatestStatisticsByDataSource() { } }); - Instant lastTimestamp = result.values().stream() + Optional maybeLastTimestamp = result.values().stream() .map(doc -> Instant.parse(doc.getTimestamp())) - .max(Instant::compareTo) - .orElse(Instant.now()); + .max(Instant::compareTo); - checkpoint.setLastProcessedTimestamp(lastTimestamp); - - this.checkpointRepository.save(checkpoint); + if (maybeLastTimestamp.isPresent()) { + checkpoint.setLastProcessedTimestamp(maybeLastTimestamp.get()); + this.checkpointRepository.save(checkpoint); + } return result; } diff --git a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java index 1311b5f4d..d8d00387c 100644 --- a/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java +++ b/backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java @@ -62,7 +62,7 @@ public UtmModule updateConfigurationKeys(Long moduleId, List 0) || (activationStatus && moduleInstancesActives > 1)) return; - filters.forEach(filter -> filter.setActive(activationStatus)); + filters.forEach(filter -> { + filter.setActive(activationStatus); + filter.setUpdatedAt(Instant.now()); + }); logstashFilterService.saveAll(filters); } else { return; diff --git a/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java b/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java index 9c9ca1124..c34c15cbc 100644 --- a/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java +++ b/backend/src/main/java/com/park/utmstack/service/application_modules/connectors/ModuleConfigurationValidationService.java @@ -1,6 +1,9 @@ package com.park.utmstack.service.application_modules.connectors; +import com.fasterxml.jackson.databind.JsonNode; import com.park.utmstack.config.Constants; +import com.park.utmstack.service.dto.application_modules.ModuleConfigValidationErrorMapper; +import com.park.utmstack.service.dto.application_modules.ModuleConfigValidationErrorResponse; import com.park.utmstack.service.dto.application_modules.UtmModuleGroupConfWrapperDTO; import com.park.utmstack.service.web_clients.rest_template.RestTemplateService; import com.park.utmstack.util.exceptions.ApiException; @@ -24,44 +27,61 @@ public class ModuleConfigurationValidationService { public boolean validateModuleConfiguration(String module, UtmModuleGroupConfWrapperDTO configurations) { final String ctx = CLASSNAME + ".ModuleConfigurationValidationService"; + HttpHeaders headers = new HttpHeaders(); headers.add("Content-Type", "application/json"); headers.add("Accept", "*/*"); headers.set(Constants.EVENT_PROCESSOR_INTERNAL_KEY_HEADER, System.getenv(Constants.ENV_INTERNAL_KEY)); - String baseUrl = "http://" + System.getenv(Constants.ENV_EVENT_PROCESSOR_HOST) + ":" + System.getenv(Constants.ENV_EVENT_PROCESSOR_PORT); + String baseUrl = "http://" + System.getenv(Constants.ENV_EVENT_PROCESSOR_HOST) + ":" + System.getenv(Constants.ENV_EVENT_PROCESSOR_PORT); String endPoint = baseUrl + "/api/v1/modules-config/validate?nameShort=" + module; - try{ - ResponseEntity response = restTemplateService.post( - endPoint, - configurations, - String.class, - headers - ); - - if (!response.getStatusCode().is2xxSuccessful()) { - List errors = response.getHeaders().get("X-UtmStack-error"); - String errorMessage = (errors != null && !errors.isEmpty()) - ? String.join(", ", errors) - : "Unknown error occurred during module configuration validation."; - - log.error("{}: Module configuration validation failed for module: {} with status: {}. Cause: {}", - ctx, module, response.getStatusCode(), errorMessage); - throw new ApiException( - String.format("Module configuration validation failed for module: %s. Cause: %s", module, errorMessage), - response.getStatusCode() - ); + + ResponseEntity response = restTemplateService.postRaw( + endPoint, + configurations, + JsonNode.class, + headers + ); + + JsonNode body = response.getBody(); + + if (response.getStatusCode().is2xxSuccessful() && body != null && body.has("status")) { + return true; + } + + if (body != null && body.has("error")) { + String errorText = body.get("error").asText(); + + if (errorText.contains("{\"meta\"")) { + ModuleConfigValidationErrorResponse structured = ModuleConfigValidationErrorMapper.parse(errorText); + + if (structured != null) { + String traceId = structured.getMeta().getTraceId(); + String message = structured.getErrors().get(0).getMessage(); + + log.error("{}: External provider validation failed for module {}. TraceId: {}. Message: {}", + ctx, module, traceId, message); + + throw new ApiException( + "External provider validation failed: " + message + " (traceId=" + traceId + ")", + HttpStatus.UNAUTHORIZED + ); + } } - return true; + log.error("{}: Module configuration validation failed for module {}. Cause: {}", + ctx, module, errorText); - } catch (ApiException e) { - throw e; - } catch (Exception e) { - log.error("{}: An error occurred while validating module configuration for module: {}. Cause: {}", - ctx, module, e.getMessage(), e); - throw new ApiException("An error occurred while validating module configuration", HttpStatus.INTERNAL_SERVER_ERROR); + throw new ApiException(errorText, HttpStatus.BAD_REQUEST); } + + log.error("{}: Unexpected response validating module {}.", ctx, module); + throw new ApiException( + String.format("%s: Unexpected response validating module %s.", ctx, module), + HttpStatus.INTERNAL_SERVER_ERROR + ); } + + } diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java deleted file mode 100644 index 0beccfa66..000000000 --- a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceFileResponse.java +++ /dev/null @@ -1,17 +0,0 @@ -package com.park.utmstack.service.compliance; - -import lombok.Builder; -import lombok.Data; - -@Data -@Builder -public class ComplianceFileResponse { - // Success fields - private byte[] pdfBytes; - - // Error fields - private boolean error; - private String message; - private String details; -} - diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java index b553d14ba..4567fc274 100644 --- a/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java +++ b/backend/src/main/java/com/park/utmstack/service/compliance/ComplianceMailService.java @@ -1,46 +1,56 @@ package com.park.utmstack.service.compliance; import com.park.utmstack.service.MailService; +import com.park.utmstack.service.dto.web_pdf.PdfServiceResponse; import com.park.utmstack.service.util.PdfService; +import lombok.RequiredArgsConstructor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; -import org.springframework.transaction.annotation.Transactional; import java.time.Clock; import java.time.Instant; -/** - * Service Implementation for managing Compliance PDF Delivery. - */ @Service -@Transactional +@RequiredArgsConstructor public class ComplianceMailService { - private final Logger log = LoggerFactory.getLogger(ComplianceMailService.class); + + private static final Logger log = LoggerFactory.getLogger(ComplianceMailService.class); private static final String CLASSNAME = "ComplianceMailService"; + private final MailService mailService; private final PdfService pdfService; - public ComplianceMailService(MailService mailService, - PdfService pdfService) { - this.mailService = mailService; - this.pdfService = pdfService; - } - - /** - * Method to generate dashboard in PDF format and send via email - */ - public void sendComplianceByMail(String url, String userEmail) throws Exception { + public void sendComplianceByMail(String url, String userEmail) { final String ctx = CLASSNAME + ".sendComplianceByMail"; String accessKey = System.getenv("INTERNAL_KEY"); - byte[] pdfInBytes = pdfService.getPdf(url, accessKey,PdfService.PdfAccessTypes.PDF_TYPE_INTERNAL.get()); - if (pdfInBytes != null && pdfInBytes.length > 0) { - mailService.sendComplianceReportEmail(userEmail, "UTMStack Compliance Report Delivery" - , "This is a scheduled email delivery of a Compliance Report, please do not answer this email. ", - "Compliance_Report_" + Instant.now(Clock.systemUTC()) + ".pdf", pdfInBytes); - } else { - log.error(ctx + ": We couldn't send the email, reason: No data returned from PDF service"); + + if (accessKey == null || accessKey.isBlank()) { + log.error("{}: INTERNAL_KEY environment variable is missing", ctx); + return; } + + PdfServiceResponse response = + pdfService.downloadPdf(url, accessKey, PdfService.PdfAccessTypes.PDF_TYPE_INTERNAL.get()); + + if (response.getPdfBytes() == null || response.getPdfBytes().length == 0) { + log.error("{}: PDF service returned empty content for URL {}", ctx, url); + return; + } + + String filename = "Compliance_Report_" + Instant.now(Clock.systemUTC()) + ".pdf"; + + mailService.sendComplianceReportEmail( + userEmail, + "UTMStack Compliance Report Delivery", + "This is a scheduled email delivery of a Compliance Report, please do not answer this email.", + filename, + response.getPdfBytes() + ); + + log.info("{}: Email successfully sent to {}", ctx, userEmail); + } } + diff --git a/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java b/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java index 9e98a4cd3..67a09fd7e 100644 --- a/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java +++ b/backend/src/main/java/com/park/utmstack/service/compliance/UtmComplianceReportScheduleService.java @@ -11,12 +11,14 @@ import com.park.utmstack.service.UserService; import com.park.utmstack.service.application_events.ApplicationEventService; import com.park.utmstack.service.dto.compliance.UtmComplianceReportScheduleCriteria; +import com.park.utmstack.util.exceptions.ApiException; import com.park.utmstack.web.rest.errors.BadRequestAlertException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.data.domain.Page; import org.springframework.data.domain.Pageable; import org.springframework.data.jpa.domain.Specification; +import org.springframework.http.HttpStatus; import org.springframework.scheduling.annotation.Scheduled; import org.springframework.scheduling.support.CronExpression; import org.springframework.stereotype.Service; @@ -128,7 +130,7 @@ public Optional findByComplianceReportValues(UtmCom log.debug("Request to get UtmComplianceReportSchedule : {}", reportSchedule); User user = userService.getCurrentUserLogin(); return utmComplianceReportScheduleRepository.findFirstByUserIdAndComplianceIdAndScheduleString(user.getId(), - reportSchedule.getComplianceId(),reportSchedule.getScheduleString()); + reportSchedule.getComplianceId(), reportSchedule.getScheduleString()); } /** @@ -144,31 +146,43 @@ public void delete(Long id) { /** * Scheduled method to execute the compliance report pdf generation and email delivery - * */ + * + */ @Scheduled(fixedDelay = 5000, initialDelay = 30000) public void scheduleComplianceReport() { - final String ctx = CLASSNAME + ".scheduleComplianceReport"; List schedulesList = findAll(); + schedulesList.forEach(this::processSchedule); + + } + + private void processSchedule(UtmComplianceReportSchedule schedule) { + + Optional userOpt = userService.getUserWithAuthorities(schedule.getUserId()); + + if (userOpt.isEmpty()) { + log.error("Schedule {} skipped: user {} not found", schedule.getId(), schedule.getUserId()); + return; + } + + User user = userOpt.get(); + + Instant now = Instant.now(Clock.systemUTC()); + Instant next = getNext(schedule.getScheduleString(), schedule.getLastExecutionTime(), now); + + if (!isTimeToExecute(next, now)) { + return; + } + + complianceMailService.sendComplianceByMail(schedule.getUrlWithParams(), user.getEmail()); + markExecuted(schedule, next); - schedulesList.forEach(current -> { - Optional user = userService.getUserWithAuthorities(current.getUserId()); - try { - Instant currentDate = Instant.now(Clock.systemUTC()); - Instant next = getNext(current.getScheduleString(), current.getLastExecutionTime(), currentDate); - if (isTimeToExecute(next, currentDate)) { - // Set the next execution time (Base time seed) - current.setLastExecutionTime(next); - utmComplianceReportScheduleRepository.save(current); - complianceMailService.sendComplianceByMail(current.getUrlWithParams(), user.get().getEmail()); - } - - } catch (Exception e) { - String msg = ctx + ": " + e.getLocalizedMessage(); - log.error(msg); - applicationEventService.createEvent(msg, ApplicationEventType.ERROR); - } - }); + } + + @Transactional + public void markExecuted(UtmComplianceReportSchedule schedule, Instant next) { + schedule.setLastExecutionTime(next); + utmComplianceReportScheduleRepository.save(schedule); } /*** @@ -180,7 +194,8 @@ private boolean isTimeToExecute(Instant next, Instant currentDate) { /** * Method to know the next valid Instant to execute the task, even if the system was shut down for a while - * */ + * + */ private Instant getNext(String cronExpresion, Instant lastExecution, Instant currentDate) { CronExpression parse = CronExpression.parse(cronExpresion); Instant possibleNext = Objects.requireNonNull(parse.next(lastExecution.atZone(ZoneOffset.UTC))).toInstant(); @@ -194,7 +209,7 @@ private Instant getNext(String cronExpresion, Instant lastExecution, Instant cur // near next execution to avoid extra executions, because the general scheduler that calls these methods, // is every 5 seconds Long diffBetweenCurrentAndPossibleNext = currentSecs - possibleNext.getEpochSecond(); - Integer rate = Long.valueOf(diffBetweenCurrentAndPossibleNext/diffBetweenLastAndNext).intValue(); + Integer rate = Long.valueOf(diffBetweenCurrentAndPossibleNext / diffBetweenLastAndNext).intValue(); Instant resultNext = lastExecution.atZone(ZoneOffset.UTC).toInstant().plusSeconds(diffBetweenLastAndNext * rate); return resultNext.atZone(ZoneOffset.UTC).toInstant(); } @@ -205,7 +220,7 @@ private Specification createSpecification(UtmCompli User user = userService.getCurrentUserLogin(); Specification specification = Specification.where((root, query, criteriaBuilder) -> - criteriaBuilder.equal(root.get("userId"), user.getId())); + criteriaBuilder.equal(root.get("userId"), user.getId())); if (criteria != null) { if (criteria.getName() != null) { specification = specification.and(buildSpecification(criteria.getName(), diff --git a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java index 6ae4c80b6..97033db62 100644 --- a/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java +++ b/backend/src/main/java/com/park/utmstack/service/correlation/rules/UtmCorrelationRulesService.java @@ -125,6 +125,7 @@ public void setRuleActivation(Long ruleId, boolean setActive) throws Exception { .orElseThrow(() -> new RuntimeException(ctx + ": The rule you're trying to activate or deactivate is not present in database.")); try { rule.setRuleActive(setActive); + rule.setRuleLastUpdate(Instant.now()); this.utmCorrelationRulesRepository.save(rule); } catch (Exception ex) { throw new RuntimeException(ctx + ": An error occurred while adding a rule.", ex); diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java new file mode 100644 index 000000000..901eab291 --- /dev/null +++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/CSError.java @@ -0,0 +1,9 @@ +package com.park.utmstack.service.dto.application_modules; + +import lombok.Data; + +@Data +public class CSError { + private int code; + private String message; +} diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java new file mode 100644 index 000000000..940645656 --- /dev/null +++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/Meta.java @@ -0,0 +1,9 @@ +package com.park.utmstack.service.dto.application_modules; + +import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.Data; + +@Data +public class Meta { + @JsonProperty("trace_id") private String traceId; +} diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java new file mode 100644 index 000000000..9ec10ea1d --- /dev/null +++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorMapper.java @@ -0,0 +1,25 @@ +package com.park.utmstack.service.dto.application_modules; + +import com.fasterxml.jackson.databind.ObjectMapper; + +public class ModuleConfigValidationErrorMapper { + + private static final ObjectMapper mapper = new ObjectMapper(); + + public static ModuleConfigValidationErrorResponse parse(String errorText) { + try { + ObjectMapper mapper = new ObjectMapper(); + + int start = errorText.indexOf("{\"meta\""); + if (start == -1) return null; + + String innerJson = errorText.substring(start); + + return mapper.readValue(innerJson, ModuleConfigValidationErrorResponse.class); + + } catch (Exception e) { + return null; + } + } + +} diff --git a/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java new file mode 100644 index 000000000..eb7fa8604 --- /dev/null +++ b/backend/src/main/java/com/park/utmstack/service/dto/application_modules/ModuleConfigValidationErrorResponse.java @@ -0,0 +1,13 @@ +package com.park.utmstack.service.dto.application_modules; + +import lombok.Data; + +import java.util.List; + +@Data +public class ModuleConfigValidationErrorResponse { + private Meta meta; + private List errors; +} + + diff --git a/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java b/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java index f3d7e5b67..4afb5dd94 100644 --- a/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java +++ b/backend/src/main/java/com/park/utmstack/service/logstash_filter/UtmLogstashFilterService.java @@ -6,6 +6,7 @@ import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; +import java.time.Instant; import java.util.List; import java.util.Optional; @@ -36,6 +37,7 @@ public UtmLogstashFilterService(UtmLogstashFilterRepository logstashFilterReposi public UtmLogstashFilter save(UtmLogstashFilter logstashFilter) { final String ctx = CLASSNAME + ".save"; try { + logstashFilter.setUpdatedAt(Instant.now()); logstashFilter.setSystemOwner(false); return logstashFilterRepository.save(logstashFilter); } catch (Exception e) { diff --git a/backend/src/main/java/com/park/utmstack/service/util/PdfService.java b/backend/src/main/java/com/park/utmstack/service/util/PdfService.java index 5441694b0..758ef9d5f 100644 --- a/backend/src/main/java/com/park/utmstack/service/util/PdfService.java +++ b/backend/src/main/java/com/park/utmstack/service/util/PdfService.java @@ -1,11 +1,10 @@ package com.park.utmstack.service.util; import com.park.utmstack.config.Constants; -import com.park.utmstack.service.compliance.ComplianceFileResponse; import com.park.utmstack.service.dto.web_pdf.PdfServiceResponse; -import com.park.utmstack.service.federation_service.UtmFederationServiceClientService; import com.park.utmstack.service.web_clients.rest_template.RestTemplateService; import com.park.utmstack.util.exceptions.ApiException; +import lombok.RequiredArgsConstructor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; @@ -14,66 +13,17 @@ import org.springframework.transaction.annotation.Transactional; import org.springframework.web.util.UriComponentsBuilder; -import java.util.Objects; - /** * Service Implementation for PDF generation. */ @Service +@RequiredArgsConstructor @Transactional public class PdfService { private final Logger log = LoggerFactory.getLogger(PdfService.class); private static final String CLASSNAME = "PdfService"; - private final UtmFederationServiceClientService fsService; private final RestTemplateService restTemplateService; - private final String COMPLIANCE_EXPORT_URL = "/dashboard/export-compliance/"; - - public PdfService(UtmFederationServiceClientService fsService, - RestTemplateService restTemplateService) { - this.fsService = fsService; - this.restTemplateService = restTemplateService; - } - - /** - * Get pdf report in bytes array. - * - * @param url the url of the compliance report. - * @return the pdf report in bytes array. - */ - @Transactional(readOnly = true) - public ResponseEntity getPdfReportByUrlInBytes(String url, String accessKey, String accessType) throws Exception{ - log.debug("Request to get UtmComplianceReportSchedule : {}", url); - return ResponseEntity.ok().body(getPdf(Constants.FRONT_BASE_URL + url, accessKey, accessType)); - } - - /** - * Method to get pdf in bytes - */ - public byte[] getPdf(String url, String accessKey, String accessType) throws Exception { - final String ctx = CLASSNAME + ".getPdf"; - - String urlService = UriComponentsBuilder.fromUriString(Constants.PDF_SERVICE_URL) - .queryParam("baseUrl", Constants.FRONT_BASE_URL) - .queryParam("url", url) - .queryParam("accessKey", accessKey) - .queryParam("accessType", accessType) - .build().toUriString(); - - ResponseEntity rs = restTemplateService.get(urlService, ComplianceFileResponse.class); - log.info("Requesting PDF creation to URL : {}", Constants.PDF_SERVICE_URL + "?url=" + url); - if (!rs.getStatusCode().is2xxSuccessful()) { - log.error(ctx + ": {}", restTemplateService.extractErrorMessage(rs)); - } else { - byte[] pdfInBytes = Objects.requireNonNull(rs.getBody()).getPdfBytes(); - if (pdfInBytes != null && pdfInBytes.length > 0) { - return pdfInBytes; - } else { - log.error(ctx + ": We couldn't generate the pdf, reason: No data returned from PDF service"); - } - } - return null; - } public PdfServiceResponse downloadPdf(String url, String accessKey, String accessType) { final String ctx = CLASSNAME + ".getPdf"; diff --git a/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java b/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java index 3cdbfa5be..233249c3b 100644 --- a/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java +++ b/backend/src/main/java/com/park/utmstack/service/web_clients/rest_template/RestTemplateService.java @@ -54,6 +54,10 @@ public ResponseEntity getRaw(String url, Class type) { return rawRestTemplate.exchange(url, HttpMethod.GET, requestEntity, type); } + public ResponseEntity postRaw(String url, T body, Class type, HttpHeaders headers) { + HttpEntity requestEntity = new HttpEntity<>(body, headers); + return rawRestTemplate.exchange(url, HttpMethod.POST, requestEntity, type); + } public ResponseEntity get(String url, Class type, HttpHeaders headers) throws Exception { final String ctx = CLASSNAME + ".get"; diff --git a/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java b/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java index b43929aa7..12060773c 100644 --- a/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java +++ b/backend/src/main/java/com/park/utmstack/web/rest/logstash_filter/UtmFilterResource.java @@ -72,7 +72,7 @@ public ResponseEntity createLogstashFilter(@Valid @RequestBod // If you provide a pipelineId we create relation, otherwise only create the filter if (pipelineId!=null) { Optional pipeline = pipelineService.findOne(pipelineId); - if (!pipeline.isPresent()) { + if (pipeline.isEmpty()) { throw new Exception("The pipeline with ID (" + pipelineId + ") not exists"); } UtmLogstashFilter filter = logstashFilterService.save(logstashFilter); diff --git a/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml b/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml new file mode 100644 index 000000000..9316b44d6 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260129002_update_filter_pfsense.xml @@ -0,0 +1,372 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.deviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}{{.iso8601Timezone}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + where: regexMatch("raw", "\\d{4}-\\d{2}-\\d{2}") + + # Parsing syslog format date (OPNsense/pfSense) + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.integer}}\>' + - fieldName: log.deviceTime + pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}{{.space}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}{{.space}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + where: regexMatch("raw", "<\\d+>[A-Z][a-z]{2}\\s+\\d{1,2}\\s+\\d{2}") + + #......................................................................# + # Removing unnecessary characters of the syslogHeader + #......................................................................# + - trim: + function: prefix + substring: "<" + fields: + - log.priority + - trim: + function: suffix + substring: ">" + fields: + - log.priority + + #......................................................................# + # Checking that the msgAll field exists + #......................................................................# + - grok: + patterns: + - fieldName: log.eventType + pattern: '{{.word}}' + - fieldName: log.pid + pattern: '(\[)?({{.integer}}?)(\])?(- -|:)' + - fieldName: log.csvMsg + pattern: '{{.greedy}}' + source: log.msgAll + + #......................................................................# + # Removing unnecessary characters + #......................................................................# + - trim: + function: prefix + substring: "[" + fields: + - log.pid + - trim: + function: suffix + substring: "]:" + fields: + - log.pid + + # ..........................................................................# + # Remove issues fileds + # ..........................................................................# + - delete: + fields: + - log.msgAll + + #......................................................................# + # Using csv to parse the message + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + - log.tcpFlags + - log.sequenceNumber + - log.ackNumber + - log.tcpWindow + - log.urg + - log.tcpOptions + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(tcp|TCP|Tcp)") + + # .......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(udp|UDP|Udp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv4Tos + - log.ipv4Ecn + - log.ipv4Ttl + - log.ipv4Id + - log.ipv4Offset + - log.ipv4Flags + - log.ipv4ProtocolId + - log.proto + - log.ipLength + - log.srcIp + - log.dstIp + - log.icmpType + - log.icmpData1 + - log.icmpData2 + - log.icmpData3 + - log.icmpData4 + - log.icmpData5 + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(4|6),(.+)(icmp|ICMP|Icmp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + - log.tcpFlags + - log.sequenceNumber + - log.ackNumber + - log.tcpWindow + - log.urg + - log.tcpOptions + where: regexMatch("log.csvMsg", "(.+),(\\s)?(match|\\w+),(block|pass),(in|out),(6|17),(.+)(tcp|TCP|Tcp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.srcPort + - log.dstPort + - log.dataLength + where: regexMatch("log.csvMsg", "(.+),(match|\\w+),(block|pass),(in|out),6,(.+)(udp|UDP|Udp)") + + #......................................................................# + - csv: + source: log.csvMsg + separator: "," + headers: + - log.ruleNumber + - log.subRuleNumber + - log.anchor + - log.tracker + - log.realInterface + - log.reason + - log.action + - log.direction + - log.ipVersion + - log.ipv6Class + - log.ipv6FlowLabel + - log.ipv6HopLimit + - log.proto + - log.ipv6ProtocolId + - log.ipLength + - log.srcIp + - log.dstIp + - log.icmpType + - log.icmpData1 + - log.icmpData2 + - log.icmpData3 + - log.icmpData4 + - log.icmpData5 + where: regexMatch("log.csvMsg", "(.+),(match|\\w+),(block|pass),(in|out),(6|17),(.+)(icmp|ICMP|Icmp)") + + # ................................................# + # Rename fields + # ................................................# + - rename: + from: + - log.action + to: action + + - rename: + from: + - log.proto + to: protocol + + - rename: + from: + - log.srcIp + to: origin.ip + + - rename: + from: + - log.dstIp + to: target.ip + + - rename: + from: + - log.srcPort + to: origin.port + + - rename: + from: + - log.dstPort + to: target.port + + # ................................................# + # Fileds conversions + # ................................................# + - cast: + fields: + - origin.port + - target.port + to: int + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # ..........................................................................# + # Remove issues fileds + # ..........................................................................# + - delete: + fields: + - log.csvMsg + +$$ + WHERE id=1522; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml b/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml new file mode 100644 index 000000000..f9c0a6b3a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260202001_update_linux_auditing_module.xml @@ -0,0 +1,16 @@ + + + + + + + + + module_name = 'AUDITD' + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml b/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml new file mode 100644 index 000000000..57f700bf3 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260202002_update_filter_crowdstrike.xml @@ -0,0 +1,330 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml new file mode 100644 index 000000000..a2041510d --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260204001_update_filter_o35_integration.xml @@ -0,0 +1,125 @@ + + + + + + + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml new file mode 100644 index 000000000..dfa6f5070 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260204002_update_filter_sonic_wall_integration.xml @@ -0,0 +1,549 @@ + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.dvcTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}' + - fieldName: log.irrelevant + pattern: '{{.word}}\=' + - fieldName: log.id + pattern: '{{.integer}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.dvcTime + pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.srcIp + pattern: '{{.ipv4}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.data}}\>' + - fieldName: log.irrelevant + pattern: '{{.data}}\=' + - fieldName: log.device + pattern: '{{.word}}' + - fieldName: log.irrelevant1 + pattern: '{{.data}}\=' + - fieldName: log.sn + pattern: '{{.word}}' + - fieldName: log.irrelevant2 + pattern: '{{.data}}\"' + - fieldName: log.dvcTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.irrelevant3 + pattern: '{{.data}}\=' + - fieldName: log.srcIp + pattern: '{{.ipv4}}' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: raw + + # ......................................................................# + # Checking if the log is in CEF format + #......................................................................# + # Using grok to parse syslogHeader of the message + # ......................................................................# + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.dvcTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}' + - fieldName: log.formatType + pattern: '(CEF:)' + - fieldName: log.formatVersion + pattern: '(\s)?{{.integer}}' + - fieldName: log.cefMsgAll + pattern: '{{.greedy}}' + source: log.msgAll + where: contains("log.msgAll", "CEF:") + + - grok: + patterns: + - fieldName: log.dvcTime + pattern: '((?i)\b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?:y)?|aug(?:ust)?|sep(?:tember)?|oct(?:ober)?|nov(?:ember)?|dec(?:ember)?)\b){{.space}}{{.monthDay}}{{.space}}{{.year}}{{.space}}{{.time}}' + - fieldName: log.sn + pattern: '{{.word}}' + - fieldName: log.formatType + pattern: '(CEF:)' + - fieldName: log.formatVersion + pattern: '{{.integer}}' + - fieldName: log.cefMsgAll + pattern: '{{.greedy}}' + source: log.msgAll + where: contains("log.msgAll", "CEF:") + + #......................................................................# + # Removing unnecessary characters of the syslogHeader + #......................................................................# + - trim: + function: prefix + substring: "<" + fields: + - log.priority + - trim: + function: suffix + substring: ">" + fields: + - log.priority + - trim: + function: suffix + substring: ":" + fields: + - log.formatType + + #......................................................................# + # Using grok to parse CEF fields + #......................................................................# + - grok: + patterns: + - fieldName: log.dvcVendor + pattern: '\|{{.data}}\|' + - fieldName: log.dvcProduct + pattern: '{{.data}}\|' + - fieldName: log.dvcVersion + pattern: '{{.data}}\|' + - fieldName: log.eventId + pattern: '{{.data}}\|' + - fieldName: log.eventName + pattern: '{{.data}}\|' + - fieldName: log.severity + pattern: '{{.data}}\|' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: log.cefMsgAll + + - trim: + function: prefix + substring: "|" + fields: + - log.dvcVendor + + - trim: + function: suffix + substring: "|" + fields: + - log.dvcVendor + - log.dvcProduct + - log.dvcVersion + - log.eventId + - log.eventName + - log.severity + + # Using grok to extract values with spaces in fields + - grok: + patterns: + - fieldName: log.trash + pattern: '{{.data}}msg=' + - fieldName: log.message + pattern: '\"{{.data}}\"' + - fieldName: log.trash2 + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.trash1 + pattern: '{{.data}}ipscat=' + - fieldName: log.ipscat1 + pattern: '\"{{.data}}\"' + - fieldName: log.trash3 + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.trash4 + pattern: '{{.data}}cs6=' + - fieldName: log.cs61 + pattern: '\"{{.data}}\"' + - fieldName: log.trash5 + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.trash6 + pattern: '{{.data}}rule=' + - fieldName: log.rule1 + pattern: '\"{{.data}}\"' + - fieldName: log.trash7 + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.trash8 + pattern: '{{.data}}Category=' + - fieldName: log.category1 + pattern: '\"{{.data}}\"' + - fieldName: log.trash9 + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.trash10 + pattern: '{{.data}}note=' + - fieldName: log.note1 + pattern: '\"{{.data}}\"' + - fieldName: log.trash11 + pattern: '{{.greedy}}' + source: raw + + - trim: + function: prefix + substring: '"' + fields: + - log.message + - log.note1 + - log.ipscat1 + - log.cs61 + - log.rule1 + - log.category1 + - log.fwaction + + - trim: + function: suffix + substring: '"' + fields: + - log.message + - log.note1 + - log.ipscat1 + - log.cs61 + - log.rule1 + - log.category1 + - log.fwaction + + #......................................................................# + # Using kv to parse msgAll components from syslog format only + #......................................................................# + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.msgAll + + # ................................................# + # Rename fields + # ................................................# + - rename: + from: + - log.dst + to: target.ip + - rename: + from: + - log.dstname + to: target.host + - rename: + from: + - log.proto + to: protocol + - rename: + from: + - log.src + to: origin.ip + - rename: + from: + - log.fwaction + to: action + - rename: + from: + - log.dstMac + to: target.mac + - rename: + from: + - log.srcMac + to: origin.mac + - rename: + from: + - log.dmac + to: target.mac + - rename: + from: + - log.smac + to: origin.mac + - rename: + from: + - log.message + to: log.msg + - rename: + from: + - log.note1 + to: log.note + - rename: + from: + - log.ipscat1 + to: log.ipscat + - rename: + from: + - log.cs61 + to: log.cs6 + - rename: + from: + - log.rule1 + to: log.rule + - rename: + from: + - log.category1 + to: log.category + + # .......................................................................# + # Fields conversions + # .......................................................................# + - cast: + fields: + - log.gcat + to: string + + #......................................................................# + # Define Syslog Group Category (gcat) Values + #......................................................................# + - add: + function: 'string' + params: + key: log.groupCategory + value: 'System' + where: equals("log.gcat", "1") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Log' + where: equals("log.gcat", "2") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Security Services' + where: equals("log.gcat", "3") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Users' + where: equals("log.gcat", "4") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Firewall Settings' + where: equals("log.gcat", "5") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Network' + where: equals("log.gcat", "6") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'VPN' + where: equals("log.gcat", "7") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'High Availability' + where: equals("log.gcat", "8") + + - add: + function: 'string' + params: + key: log.groupCategory + value: '3G/4G, Modem, and Module' + where: equals("log.gcat", "9") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Firewall' + where: equals("log.gcat", "10") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Wireless' + where: equals("log.gcat", "11") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'VoIP' + where: equals("log.gcat", "12") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'SSL VPN' + where: equals("log.gcat", "13") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Anti-Spam' + where: equals("log.gcat", "14") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'WAN Acceleration' + where: equals("log.gcat", "15") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'SD-WAN' + where: equals("log.gcat", "16") + + - add: + function: 'string' + params: + key: log.groupCategory + value: 'Multi-Tenancy' + where: equals("log.gcat", "17") + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # .......................................................................# + # Adding severity based on log.pri + # .......................................................................# + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.pri", ["0", "1", "2", "3"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: equals("log.pri", "4") + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.pri", ["5", "6", "7"]) + + # ..........................................................................# + # Removing unnuse fields + #.........................................................................# + - delete: + fields: + - log.irrelevant + - log.irrelevant1 + - log.irrelevant2 + - log.irrelevant3 + - log.msgAll + - log.cefMsgAll + - log.pri + - log.gcat + - log.message + - log.note1 + - log.ipscat1 + - log.cs61 + - log.rule1 + - log.category1 + - log.trash + - log.trash1 + - log.trash2 + - log.trash3 + - log.trash4 + - log.trash5 + - log.trash6 + - log.trash7 + - log.trash8 + - log.trash9 + - log.trash10 + - log.trash11 + +$$ + + WHERE id=1511 + + ]]> + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml new file mode 100644 index 000000000..795c8363c --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260206001_update_filter_vmware_integration.xml @@ -0,0 +1,153 @@ + + + + + + ' + - fieldName: log.deviceTime + pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)' + - fieldName: origin.hostname + pattern: '{{.hostname}}' + - fieldName: log.process + pattern: '{{.hostname}}(\:)' + - fieldName: severity + pattern: '{{.word}}' + - fieldName: log.processName + pattern: '{{.hostname}}' + - fieldName: log.pid + pattern: '\[{{.data}}\]' + - fieldName: log.eventInfo + pattern: '\[{{.data}}\]' + - fieldName: log.message + pattern: '{{.greedy}}' + + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.data}}\>' + - fieldName: log.deviceTime + pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)' + - fieldName: origin.hostname + pattern: '{{.hostname}}' + - fieldName: log.process + pattern: '{{.hostname}}' + - fieldName: log.pid + pattern: '\[{{.data}}\]:' + - fieldName: log.message + pattern: '{{.greedy}}' + + - grok: + patterns: + - fieldName: log.priority + pattern: '\<{{.data}}\>' + - fieldName: log.deviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}T{{.time}}Z' + - fieldName: origin.hostname + pattern: '{{.hostname}}' + - fieldName: log.process + pattern: '{{.hostname}}' + - fieldName: log.pid + pattern: '\[{{.data}}\]:' + - fieldName: log.originIdComponent + pattern: '\[{{.data}}\]' + - fieldName: log.message + pattern: '{{.greedy}}' + + - grok: + patterns: + - fieldName: log.moduleIdentifier + pattern: '\[{{.data}}\@' + - fieldName: log.irrelevant + pattern: '{{.data}}\=' + - fieldName: log.subModuleIdentifier + pattern: '{{.word}}\]' + source: log.originIdComponent + + # Removing unused caracters + - trim: + function: prefix + substring: '<' + fields: + - log.priority + - trim: + function: prefix + substring: '[' + fields: + - log.pid + - log.eventInfo + - log.moduleIdentifier + - trim: + function: prefix + substring: '-' + fields: + - log.message + - trim: + function: suffix + substring: '>' + fields: + - log.priority + - trim: + function: suffix + substring: ':' + fields: + - log.pid + - log.process + - trim: + function: suffix + substring: ']' + fields: + - log.pid + - log.eventInfo + - log.subModuleIdentifier + - trim: + function: suffix + substring: '-' + fields: + - log.message + - trim: + function: suffix + substring: '@' + fields: + - log.moduleIdentifier + + # Removing unused fields + - delete: + fields: + - log.processName + - log.irrelevant + +$$ + + WHERE id = 1001 + + ]]> + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml new file mode 100644 index 000000000..16de1655f --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260206002_update_filter_netflow_integration.xml @@ -0,0 +1,297 @@ + + + + + + + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209001_update_filter_antivirus_esmc_eset.xml b/backend/src/main/resources/config/liquibase/changelog/20260209001_update_filter_antivirus_esmc_eset.xml new file mode 100644 index 000000000..0ce039e32 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209001_update_filter_antivirus_esmc_eset.xml @@ -0,0 +1,148 @@ + + + + + + + ' + - fieldName: log.msgType + pattern: '{{.integer}}' + - fieldName: log.deviceTime + pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)' + - fieldName: log.headHostname + pattern: '{{.hostname}}' + - fieldName: log.serviceName + pattern: '{{.hostname}}' + - fieldName: log.pid + pattern: '{{.integer}}' + - fieldName: log.restHead + pattern: '\-{{.data}}\-' + - fieldName: log.jsonMessage + pattern: '{{.greedy}}' + + # Remove inecesarie caracters + - trim: + function: prefix + substring: '<' + fields: + - log.priority + - trim: + function: suffix + substring: '>' + fields: + - log.priority + + # Parsing jsonMessage field log + - json: + source: log.jsonMessage + + - rename: + from: + - log.ipv4 + to: target.ip + - rename: + from: + - log.hostname + to: target.host + - rename: + from: + - log.action + to: action + - rename: + from: + - log.event + to: actionResult + - rename: + from: + - log.sourceaddress + to: origin.ip + - rename: + from: + - log.protocol + to: protocol + - rename: + from: + - log.sourceport + to: origin.port + - rename: + from: + - log.targetaddress + to: target.ip + - rename: + from: + - log.targetport + to: target.port + + # Adding severity field based on log.severity + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["INFO", "Info"]) + + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: oneOf("log.severity", ["WARNING", "Warning"]) + + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["ERROR", "Error"]) + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # Removing unused fields + - delete: + fields: + - log.jsonMessage + - log.severity$$ + WHERE id=1501; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209002_update_filter_apache.xml b/backend/src/main/resources/config/liquibase/changelog/20260209002_update_filter_apache.xml new file mode 100644 index 000000000..811ee863a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209002_update_filter_apache.xml @@ -0,0 +1,249 @@ + + + + + + + fileset: datatype +# access: plain text +# 1. Parsing the json from beats +# 2. Parsing the message field containing the apache log +pipeline: + - dataTypes: + - apache + steps: + - json: + source: raw + - rename: + from: + - log.url + to: origin.url + - rename: + from: + - log.log.file.path + to: origin.file + - rename: + from: + - log.host.ip + to: log.local.ips + - rename: + from: + - log.host.mac + to: log.local.macs + - rename: + from: + - log.host.hostname + to: origin.host + - rename: + from: + - log.event.dataset + to: action + - rename: + from: + - log.agent.version + to: log.agentVersion + - rename: + from: + - log.host.os.kernel + to: log.osVersion + - rename: + from: + - log.host.os.type + to: log.osType + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + - cast: + to: '[]string' + fields: + - log.local.ips + - cast: + to: '[]string' + fields: + - log.local.macs + # Common apache log parsing + - grok: + patterns: + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}' + - fieldName: log.userIdent + pattern: '{{.word}}|(-)' + - fieldName: origin.user + pattern: '{{.word}}|(-)' + - fieldName: deviceTime + pattern: '\[{{.data}}\]' + - fieldName: log.request + pattern: '\"{{.data}}\"' + - fieldName: log.statusCode + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.message + # Parsing Common and Combined end of apache log + # Common + - grok: + patterns: + - fieldName: origin.bytesReceived + pattern: '{{.integer}}|(-)' + source: log.rest + # Combined + - grok: + patterns: + - fieldName: origin.bytesReceived + pattern: '{{.integer}}|(-)' + - fieldName: log.referer + pattern: '\"{{.data}}\"' + - fieldName: log.userAgent + pattern: '\"(.*)\"' + source: log.rest + - trim: + function: prefix + substring: '[' + fields: + - deviceTime + - trim: + function: suffix + substring: ']' + fields: + - deviceTime + - trim: + function: prefix + substring: '"' + fields: + - log.request + - log.referer + - log.userAgent + - trim: + function: suffix + substring: '"' + fields: + - log.request + - log.referer + - log.userAgent + # Extracting request parts + - grok: + patterns: + - fieldName: log.method + pattern: '{{.word}}' + - fieldName: "origin.path" + pattern: '(.*)\s+' + - fieldName: protocol + pattern: '{{.greedy}}' + source: log.request + # Extracting protocol version + - grok: + patterns: + - fieldName: protocol + pattern: '{{.data}}/' + - fieldName: log.protoVersion + pattern: '{{.greedy}}' + source: protocol + where: exists("protocol") + - trim: + function: suffix + substring: '/' + fields: + - protocol + where: exists("protocol") + # Adding geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + # Normalizing request method and renaming to action + - add: + function: 'string' + params: + key: action + value: 'get' + where: equals("log.method", "GET") + - add: + function: 'string' + params: + key: action + value: 'post' + where: equals("log.method", "POST") + - add: + function: 'string' + params: + key: action + value: 'put' + where: equals("log.method", "PUT") + - add: + function: 'string' + params: + key: action + value: 'delete' + where: equals("log.method", "DELETE") + - add: + function: 'string' + params: + key: action + value: 'patch' + where: equals("log.method", "PATCH") + - add: + function: 'string' + params: + key: action + value: 'request' + where: equals("log.method", "REQUEST") + # Removing log.method if action was set + - delete: + fields: + - log.method + where: exists("action") + # Reformat and field conversions + - cast: + fields: + - log.statusCode + - origin.bytesReceived + to: float + - reformat: + fields: + - deviceTime + function: time + fromFormat: '14/Feb/2022:15:40:53 -0500' + toFormat: '2024-09-23T15:57:40.338364445Z' + # Adding actionResult + # denied by default + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: (greaterOrEqual("log.statusCode", 200) && lessOrEqual("log.statusCode", 299)) || (greaterOrEqual("log.statusCode", 300) && lessOrEqual("log.statusCode", 399) && greaterThan("origin.bytesReceived", 0)) + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.agent + - log.host + - log.event + - log.ecs + - log.log + - log.rest + - log.fileset$$ + WHERE id=1412; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209003_update_filter_azure.xml b/backend/src/main/resources/config/liquibase/changelog/20260209003_update_filter_azure.xml new file mode 100644 index 000000000..775f8beeb --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209003_update_filter_azure.xml @@ -0,0 +1,738 @@ + + + + + + + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209004_update_filter_cisco_asa.xml b/backend/src/main/resources/config/liquibase/changelog/20260209004_update_filter_cisco_asa.xml new file mode 100644 index 000000000..b644c4055 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209004_update_filter_cisco_asa.xml @@ -0,0 +1,5936 @@ + + + + + + + Syslog +# +# 1. Parsing the message field containing the Cisco ASA log +pipeline: + - dataTypes: + - firewall-cisco-asa + steps: + # Common ASA fields + - grok: + patterns: + - fieldName: log.syslogPri + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.asaHeader + pattern: '{{.data}}ASA-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.asaHeader + pattern: '{{.data}}ASA-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + #......................................................................# + # Adding log.localIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + # Removing unwanted prefixes + - trim: + function: prefix + substring: '-' + fields: + - log.messageId + # Field conversions + - cast: + fields: + - log.messageId + to: int + # Begining specific message parsing + #......................................................................# + # ASA-2-106001 + - grok: + patterns: + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'flags' + - fieldName: log.flags + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106001 + + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: log.messageId==106001 + + #......................................................................# + #ASA-2-106017 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'IP\sdue\sto' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + source: log.msg + where: log.messageId==106017 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==106017 + #......................................................................# + # ASA-1-106021 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106021 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==106021 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106021 + #......................................................................# + # ASA-2-106101 + - grok: + patterns: + - fieldName: action + pattern: 'Number of cached deny-flows for ACL log has reached limit' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106101 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Number of cached' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==106101 + # Parsing the limit number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.numFlows + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==106101 + # Field conversions + - cast: + fields: + - log.numFlows + to: int + where: log.messageId==106101 + + #......................................................................# + # ASA-6-106102,106103 + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106102 || log.messageId==106103 + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: '/' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: prefix + substring: '(' + fields: + - origin.port + - target.port + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: ')' + fields: + - origin.port + - target.port + where: log.messageId==106102 || log.messageId==106103 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted") + #......................................................................# + # ASA-4-109017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'User at' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'exceeded auth proxy connection limit' + - fieldName: log.limit + pattern: '\({{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109017 + + - trim: + function: prefix + substring: '(' + fields: + - log.limit + where: log.messageId==109017 + - cast: + fields: + - log.limit + to: int + where: log.messageId==109017 + #......................................................................# + # ASA-6-109101 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA disconnect request' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with\saudit-session-id:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109101 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==109101 + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: log.messageId==109101 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109101 + #......................................................................# + # ASA-4-109102 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ', but cannot find named session' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109102 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==109102 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109102 + #......................................................................# + # ASA-3-109103 + - grok: + patterns: + - fieldName: action + pattern: 'CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'failed for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with session ID:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109103 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==109103 + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: log.messageId==109103 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109103 + #......................................................................# + # ASA-109201 to 109213 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'UAUTH(:)? Session(\s|=)' + - fieldName: log.session + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'User(\s|=)' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Assigned IP(\s|=)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId>=109201 && log.messageId<=109213 + - trim: + function: suffix + substring: ',' + fields: + - log.session + - origin.user + where: log.messageId>=109201 && log.messageId<=109213 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId>=109201 && log.messageId<=109213 + #......................................................................# + # ASA-6-113004 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user {{.word}} Successful' + - fieldName: log.irrelevant + pattern: '\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113004 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user {{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113004 + - trim: + function: suffix + substring: ':' + fields: + - target.ip + where: log.messageId==113004 + - trim: + function: suffix + substring: ',' + fields: + - target.ip + where: log.messageId==113004 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113004 + #......................................................................# + # ASA-6-113005 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)' + - fieldName: log.reason + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(server|Server)(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113005 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113005 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: log.messageId==113005 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113005 + #......................................................................# + # ASA-6-113008 + - grok: + patterns: + - fieldName: action + pattern: 'AAA transaction status ACCEPT(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113008 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113008 + #......................................................................# + # ASA-6-113009 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113009 + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: log.messageId==113009 + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: log.messageId==113009 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113009 + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: log.messageId==113009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113009 + #......................................................................# + # ASA-6-113010 + - grok: + patterns: + - fieldName: action + pattern: 'AAA challenge received for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}) from server' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113010 + - trim: + function: suffix + substring: 'from server' + fields: + - origin.user + where: log.messageId==113010 + #......................................................................# + # ASA-6-113011 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113011 + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: log.messageId==113011 + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: log.messageId==113011 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113011 + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: log.messageId==113011 + #......................................................................# + # ASA-6-113012 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Successful(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113012 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113012 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113012 + #......................................................................# + # ASA-6-113013 + - grok: + patterns: + - fieldName: action + pattern: 'AAA unable to complete the request' + - fieldName: log.irrelevant + pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}\:' + - fieldName: log.irrelevant + pattern: 'user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113013 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + where: log.messageId==113013 + #......................................................................# + # ASA-6-113014 + - grok: + patterns: + - fieldName: action + pattern: 'AAA authentication server not accessible(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113014 + #......................................................................# + # ASA-6-113015, 113017 + - grok: + patterns: + - fieldName: action + pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113015 || log.messageId==113017 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - origin.user + where: log.messageId==113015 || log.messageId==113017 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(AAA user authentication|AAA credentials)\s' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113015 || log.messageId==113017 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113015 || log.messageId==113017 + #......................................................................# + # ASA-6-113016 + - grok: + patterns: + - fieldName: action + pattern: 'AAA credentials rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113016 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: log.messageId==113016 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA credentials' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113016 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113016 + #......................................................................# + # ASA-4-113019 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=(\s)?' + - fieldName: origin.group + pattern: '{{.data}}(\s)?,' + - fieldName: log.irrelevant + pattern: '(U|u)sername(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?,' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: action + pattern: '(\s)?Session disconnected\.' + - fieldName: log.irrelevant + pattern: '(\s)?Session Type:(\s)?' + - fieldName: log.sessionType + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Duration:(\s)?' + - fieldName: log.duration + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes xmt:(\s)?' + - fieldName: origin.bytesSent + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes rcv:(\s)?' + - fieldName: origin.bytesReceived + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Reason:(\s)?' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113019 + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + - log.sessionType + - log.duration + - origin.bytesSent + - origin.bytesReceived + where: log.messageId==113019 + - cast: + fields: + - origin.bytesSent + - origin.bytesReceived + to: int + where: log.messageId==113019 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113019 + #......................................................................# + # ASA-113031,113032,113033 + # Common fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?IP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + # Specific fields + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.filter + pattern: '{{.data}}\sis' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'is' + fields: + - log.filter + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + #......................................................................# + # ASA-113034,113035,113036,113038,113039 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '(\<)?{{.data}}(\>)?\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113035 || log.messageId==113038 + #......................................................................# + # ASA-4-113042 + - grok: + patterns: + - fieldName: action + pattern: 'CoA: Non-HTTP connection from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: log.remoteUser + pattern: '(''{{.data}}''|{{.data}})(\s)?at' + - fieldName: log.remoteIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113042 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==113042 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==113042 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==113042 + - trim: + function: suffix + substring: 'at' + fields: + - log.remoteUser + where: log.messageId==113042 + #......................................................................# + # ASA-2-201003 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit exceeded' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.globalIp + pattern: '\({{.data}}\)' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.dstInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==201003 + - trim: + function: prefix + substring: '(' + fields: + - log.globalIp + where: log.messageId==201003 + - trim: + function: suffix + substring: ')' + fields: + - log.globalIp + where: log.messageId==201003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==201003 + #......................................................................# + # ASA-4-209003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Fragment database limit of' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'exceeded:(\s)?src(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'dest(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'proto(\s)?=(\s)?' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'id(\s)?=(\s)?' + - fieldName: log.id + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==209003 + - trim: + function: suffix + substring: ',' + fields: + - origin.ip + - target.ip + - protocol + where: log.messageId==209003 + - cast: + fields: + - log.limit + to: int + where: log.messageId==209003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==209003 + #......................................................................# + # ASA-3-316001 + - grok: + patterns: + - fieldName: action + pattern: 'Denied new tunnel' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==316001 + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==316001 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==316001 + #......................................................................# + # ASA-3-316002 + - grok: + patterns: + - fieldName: action + pattern: 'VPN Handle error' + - fieldName: log.irrelevant + pattern: '\:(\s)?protocol=' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'src\s' + - fieldName: log.inIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: ',(\s)?dst' + - fieldName: log.outIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==316002 + - trim: + function: suffix + substring: ',' + fields: + - protocol + where: log.messageId==316002 + - cast: + fields: + - log.inIfNum + - log.outIfNum + to: int + where: log.messageId==316002 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==316002 + #......................................................................# + # ASA-302003,302004 + # First variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.irrelevant + pattern: '(to\s)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: log.messageId==302003 || log.messageId==302004 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: log.messageId==302003 || log.messageId==302004 + # Parsing from/to ip and port + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.tmpFromip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpFromip + where: log.messageId==302003 || log.messageId==302004 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: log.messageId==302003 || log.messageId==302004 + # Removing temp fields + - delete: + fields: + - log.tmpFromip + - log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302003 || log.messageId==302004 + #......................................................................# + # ASA-6-302012 + - grok: + patterns: + - fieldName: action + pattern: 'Pre-allocate H225 Call Signalling Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '/(\s)?{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to laddr' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302012 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + where: log.messageId==302012 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302012 + #......................................................................# + # ASA-6-302013 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302013 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302013 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302013 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302013 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302013 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302013 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: log.messageId==302013 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302013 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302013 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302013 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302013 + #......................................................................# + # ASA-6-302014 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302014 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302014 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302014 + # Parsing AAA user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302014 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302014 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302014 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302014 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302014 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302014 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302014 + #......................................................................# + # ASA-6-302015 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302015 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302015 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302015 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302015 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302015 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302015 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: log.messageId==302015 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302015 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302015 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302015 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302015 + #......................................................................# + # ASA-6-302016 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302016 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302016 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302016 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: log.messageId==302016 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302016 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302016 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302016 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302016 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302016 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302016 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302016 + #......................................................................# + # ASA-6-302017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302017 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302017 + # Parsing translatedCid and, firewall user to and AAA user if present + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpUserInfo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302017 + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302017 + # FW user and AAA user + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + - fieldName: target.user + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: log.messageId==302017 + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: log.messageId==302017 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302017 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - target.user + - log.translatedCid + where: log.messageId==302017 + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + - target.user + where: log.messageId==302017 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpUserInfo + where: log.messageId==302017 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302017 + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: log.messageId==302017 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302017 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302017 + #......................................................................# + # ASA-6-302018 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302018 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302018 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302018 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: log.messageId==302018 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302018 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.translatedCid + where: log.messageId==302018 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302018 + # Cleaning fields + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + where: log.messageId==302018 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302018 + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: log.messageId==302018 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302018 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302018 + #......................................................................# + # ASA-6-302020, 302021 + # 302020 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302020 + # 302021 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302021 + # Common parsing for 302020 and 302021 + # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # icmpSeqNum variants + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Cleaning icmpSeqNum + - trim: + function: suffix + substring: 'gaddr' + fields: + - log.icmpSeqNum + where: log.messageId==302020 || log.messageId==302021 + # Continue with firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302020 || log.messageId==302021 + # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.globalPort + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # icmpType variants + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Cleaning icmpType + - trim: + function: suffix + substring: 'laddr' + fields: + - log.icmpType + where: log.messageId==302020 || log.messageId==302021 + - trim: + function: suffix + substring: 'code' + fields: + - log.icmpType + where: log.messageId==302020 || log.messageId==302021 + # Continue with global firewall + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.globalFirewallUser + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserGlobal + where: log.messageId==302020 || log.messageId==302021 + # For parsing laddr and fwuser to (Begin with ip/port) + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Continue with firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302020 || log.messageId==302021 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - origin.ip + where: log.messageId==302020 || log.messageId==302021 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.globalFirewallUser + where: log.messageId==302020 || log.messageId==302021 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpFwUserGlobal + - log.tmpFaddrAndFwUser + - log.tmpGaddrAndFwUser + - log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302020 || log.messageId==302021 + #......................................................................# + # ASA-6-302022, 302024, 302026 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.role + pattern: '({{.data}})stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortTo + pattern: '\({{.data}}\)' + source: log.msg + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port to, from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Cleaning fields + - trim: + function: suffix + substring: 'stub' + fields: + - log.role + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Removing tmp fields + - delete: + fields: + - log.tmpMappedIpPortFrom + - log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + #......................................................................# + # ASA-6-302023, 302025, 302027 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + #......................................................................# + # ASA-302033,302034 + - grok: + patterns: + - fieldName: action + pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.tmpPortFrom + pattern: '{{.data}}to laddr' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.tmpIpPortTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302033 || log.messageId==302034 + # Parsing optional ports from y to + - grok: + patterns: + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpPortFrom + where: log.messageId==302033 || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + source: log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302033 || log.messageId==302034 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302033 || log.messageId==302034 + # Remove tmp fields + - delete: + fields: + - log.tmpPortFrom + - log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302033 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==302034 + #......................................................................# + #ASA-6-302035 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s{{.word}}\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302035 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302035 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302035 + # Parsing port to, firewall user to, and, from user + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302035 + # Without user info + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.rest + where: log.messageId==302035 + # Parsing firewall user to + # With origin.user + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302035 + # Without origin.user + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302035 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302035 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302035 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302035 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302035 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302035 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302035 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302035 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302035 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302035 + #......................................................................# + # ASA-6-302036 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302036 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302036 + # Decoding outside and inside firewall user, and sg_info + # Side from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302036 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302036 + # Side to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302036 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302036 + # Parsing origin.user from log.reason field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.reason + where: log.messageId==302036 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302036 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302036 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302036 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302036 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302036 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302036 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302036 + #......................................................................# + # ASA-6-302303 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302303 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302303 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302303 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302303 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302303 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302303 + #......................................................................# + # ASA-6-302304 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302304 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302304 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302304 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302304 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302304 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302304 + #......................................................................# + # ASA-6-302305 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302305 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302305 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302305 + # Parsing port to, firewall user to, and, from user + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302305 + # Without user info + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.rest + where: log.messageId==302305 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302305 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302305 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302305 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302305 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302305 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302305 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302305 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302305 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302305 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302305 + #......................................................................# + # ASA-6-302306 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302306 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302306 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302306 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302306 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302306 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302306 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302306 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302306 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302306 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302306 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302306 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302306 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302306 + #......................................................................# + # ASA-6-305009 + - grok: + patterns: + - fieldName: action + pattern: 'Built (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.mappedIpTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305009 + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: log.messageId==305009 + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: log.messageId==305009 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305009 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: log.messageId==305009 + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: log.messageId==305009 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305009 + #......................................................................# + # ASA-6-305010 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: log.messageId==305010 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305010 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: log.messageId==305010 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305010 + #......................................................................# + # ASA-6-305011 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==305011 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305011 + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305011 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: log.messageId==305011 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + where: log.messageId==305011 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305011 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==305011 + #......................................................................# + # ASA-6-305012 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: log.messageId==305012 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305012 + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305012 + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: log.messageId==305012 + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: log.messageId==305012 + # Parsing srcInterface from himself to avoid parsing issues + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.srcInterface + where: log.messageId==305012 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: log.messageId==305012 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + where: log.messageId==305012 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305012 + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: log.messageId==305012 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==305012 + #......................................................................# + # ASA-3-322001 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sMAC\saddress' + - fieldName: log.localMac + pattern: '{{.data}}(\s)?,' + - fieldName: log.reason + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322001 + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==322001 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.localMac + where: log.messageId==322001 + - trim: + function: suffix + substring: 'on' + fields: + - log.reason + where: log.messageId==322001 + #......................................................................# + # ASA-3-322002 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.boudSrcMac + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322002 + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: log.messageId==322002 + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==322002 + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: log.messageId==322002 + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: log.messageId==322002 + #......................................................................# + # ASA-3-322003 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322003 + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: log.messageId==322003 + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==322003 + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: log.messageId==322003 + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: log.messageId==322003 + #......................................................................# + # ASA-4-400000 to 400050 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPS\:(\s)?' + - fieldName: log.signatureId + pattern: '{{.integer}}' + - fieldName: action + pattern: '{{.data}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId>=400000 && log.messageId<=400050 + # Cleaning action before extract protocol + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId>=400000 && log.messageId<=400050 + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: (log.messageId>=400000 && log.messageId<=400022) || (log.messageId>=400026 && log.messageId<=400040) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==400023 || log.messageId==400024 || log.messageId==400041 + #......................................................................# + # ASA-4-402114 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402114 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402114 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402114 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + where: log.messageId==402114 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402114 + #......................................................................# + # ASA-4-402115 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\sa\spacket' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'containing' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'data instead of' + - fieldName: log.expectedProtocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402115 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402115 + #......................................................................# + # ASA-4-402116 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktDestAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktSrcAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktProto + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.localProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.localProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.localProxyProto + pattern: '{{.data}}/' + - fieldName: log.localProxyPort + pattern: '{{.data}}and' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.remoteProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.remoteProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.remoteProxyProto + pattern: '{{.data}}/' + - fieldName: log.remoteProxyPort + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402116 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402116 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402116 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402116 + - trim: + function: suffix + substring: '/' + fields: + - log.localProxyIpAddr + - log.localProxyIpMask + - log.localProxyProto + - log.remoteProxyIpAddr + - log.remoteProxyIpMask + - log.remoteProxyPort + - log.remoteProxyProto + where: log.messageId==402116 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402116 + - trim: + function: suffix + substring: 'and' + fields: + - log.localProxyPort + where: log.messageId==402116 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402116 + #......................................................................# + # ASA-4-402117 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402117 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received a non-IPsec \(' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402117 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402117 + #......................................................................# + # ASA-4-402118 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}length' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'with offset' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==402118 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402118 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402118 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402118 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402118 + #......................................................................# + # ASA-4-402119, 402120 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402119 || log.messageId==402120 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402119 || log.messageId==402120 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402119 || log.messageId==402120 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402119 || log.messageId==402120 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402119 || log.messageId==402120 + #......................................................................# + # ASA-5-402128 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CRYPTO\:(\s)?' + - fieldName: action + pattern: 'An attempt to allocate a large memory block' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memorySize + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memoryLimit + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==402128 + #......................................................................# + # ASA-4-405001 + - grok: + patterns: + - fieldName: action + pattern: 'Received ARP (request|response) collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}with' + - fieldName: log.irrelevant + pattern: 'existing ARP entry' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.mac + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==405001 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ARP' + where: log.messageId==405001 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==405001 + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==405001 + - trim: + function: suffix + substring: 'with' + fields: + - log.srcInterface + where: log.messageId==405001 + #......................................................................# + # ASA-4-405002 + - grok: + patterns: + - fieldName: action + pattern: 'Received mac mismatch collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==405002 + # Cleaning fields + - trim: + function: suffix + substring: 'for' + fields: + - origin.mac + where: log.messageId==405002 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: log.messageId==405002 + #......................................................................# + # ASA-4-406001 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command low port(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==406001 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: log.messageId==406001 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: log.messageId==406001 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: log.messageId==406001 + #......................................................................# + # ASA-4-406002 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command different address(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.connectionIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '(\s)?\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==406002 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: log.messageId==406002 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: log.messageId==406002 + #......................................................................# + # ASA-4-407002 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit {{.data}} for through connections exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}\.' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '(\s)?\)(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==407002 + # Connection number and connection limit + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Embryonic limit' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==407002 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==407002 + #......................................................................# + # ASA-6-603109 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown PPPOE Tunnel' + - fieldName: log.irrelevant + pattern: 'at' + - fieldName: log.srcInterface + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'tunnel-id(\s)?=(\s)?' + - fieldName: log.tunnelId + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'remote-peer(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==603109 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==603109 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.srcInterface + - log.tunnelId + where: log.messageId==603109 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==603109 + #......................................................................# + # ASA-6-605004 + - grok: + patterns: + - fieldName: action + pattern: 'Login\s{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.service + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'user' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==605004 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Login' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + source: action + where: log.messageId==605004 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==605004 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==605004 + - trim: + function: suffix + substring: 'for' + fields: + - log.service + where: log.messageId==605004 + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: log.messageId==605004 + - trim: + function: prefix + substring: '"' + fields: + - origin.user + where: log.messageId==605004 + - trim: + function: suffix + substring: '"' + fields: + - origin.user + where: log.messageId==605004 + #......................................................................# + # ASA-6-617100 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown {{.integer}} connection(\s)?(\(s\))?' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==617100 + # Connection number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==617100 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==617100 + #......................................................................# + # ASA-2-106018 + - grok: + patterns: + - fieldName: action + pattern: 'ICMP packet' + - fieldName: log.irrelevant + pattern: 'type' + - fieldName: log.icmpType + pattern: '{{.data}}\s' + - fieldName: log.ciscoResult + pattern: 'denied' + - fieldName: log.irrelevant + pattern: 'by' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'list' + - fieldName: log.accessList + pattern: '{{.data}}src' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'dest' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106018 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ICMP' + where: log.messageId==106018 + # Cleaning fields + - trim: + function: suffix + substring: 'src' + fields: + - log.accessList + where: log.messageId==106018 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106018 + #......................................................................# + # ASA-2-106020 + - grok: + patterns: + - fieldName: action + pattern: 'Deny IP teardrop fragment' + - fieldName: log.irrelevant + pattern: '\((\s)?size(\s)?=' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',(\s)?offset(\s)?=' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)(\s)?from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106020 + # Adding log.ciscoResult + - add: + function: 'string' + params: + key: log.ciscoResult + value: 'Denied' + where: log.messageId==106020 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106020 + #......................................................................# + # ASA-6-611301 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with no split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611301 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611301 + #......................................................................# + # ASA-6-611303 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611303 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611303 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==611303 + #......................................................................# + # ASA-6-611304 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT exemption configured for Network Extension Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611304 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611304 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==611304 + #......................................................................# + # ASA-6-611307 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Head end\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611307 + # Adding action and log.ciscoResult + - add: + function: 'string' + params: + key: action + value: 'The VPN client is connected to the specified headend' + where: log.messageId==611307 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611307 + #......................................................................# + # ASA-6-611309 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'Disconnecting from head end and uninstalling previously downloaded policy' + - fieldName: log.irrelevant + pattern: '{{.data}}End\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611309 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611309 + #......................................................................# + # ASA-6-611310,611311 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'XAUTH' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?Peer(\s)?\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611310 || log.messageId==611311 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611310 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==611311 + #......................................................................# + # ASA-6-611314 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}server' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611314 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Load Balancing Cluster redirected the Secure Firewall' + where: log.messageId==611314 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611314 + #......................................................................# + # ASA-6-611315 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611315 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Disconnecting from Load Balancing Cluster' + where: log.messageId==611315 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611315 + #......................................................................# + # ASA-6-611318 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'User Authentication Enabled' + - fieldName: log.irrelevant + pattern: '{{.data}}IP(\s)?\:' + - fieldName: log.authServerIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Port(\s)?\:' + - fieldName: log.authServerPort + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}out(\s)?\:' + - fieldName: log.timeOut + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611318 + #......................................................................# + # ASA-3-710003 + - grok: + patterns: + - fieldName: action + pattern: '(TCP|UDP) access denied by ACL' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==710003 + # Protocol and log.ciscoResult + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==710003 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==710003 + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: log.messageId==710003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==710003 + #......................................................................# + # ASA-5-713252,713253 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Username(\s)?=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}available(\.)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==713252 || log.messageId==713253 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==713252 || log.messageId==713253 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==713252 || log.messageId==713253 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==713252 || log.messageId==713253 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==713252 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==713253 + #......................................................................# + # ASA-6-716001,716002,716003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716001 || log.messageId==716002 + #......................................................................# + # ASA-6-716004,716005,716006,716007,716009 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==716004 || log.messageId==716007 || log.messageId==716009 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716006 + #......................................................................# + # ASA-6-716038 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716038 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716038 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716038 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716038 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716038 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: suffix + substring: ',' + fields: + - action + where: log.messageId==716038 + #......................................................................# + # ASA-6-716039 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==716039 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - action + - origin.user + where: log.messageId==716039 + - trim: + function: suffix + substring: 'user' + fields: + - origin.group + where: log.messageId==716039 + #......................................................................# + # ASA-6-719017,719019,719020,719021,719022,719023 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + # Adding log.ciscoResult and modifying some actions + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==719019 || log.messageId==719023 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==719020 || log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user is not checked against ACL' + where: log.messageId==719021 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has been authenticated' + where: log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has not been authenticated' + where: log.messageId==719023 + # Cleaning fields + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + #......................................................................# + # ASA-6-719018 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'ACL ID' + - fieldName: log.accessList + pattern: '{{.data}}not' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719018 + # Cleaning fields + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==719018 + - trim: + function: suffix + substring: 'not' + fields: + - log.accessList + where: log.messageId==719018 + #......................................................................# + # ASA-6-719024 + - grok: + patterns: + - fieldName: action + pattern: 'Email Proxy piggyback auth fail' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.sessionPointer + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}}addr' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719024 + # Cleaning fields + - trim: + function: suffix + substring: 'user' + fields: + - log.sessionPointer + where: log.messageId==719024 + - trim: + function: suffix + substring: 'addr' + fields: + - origin.user + where: log.messageId==719024 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==719024 + #......................................................................# + # ASA-7-609002 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown local-host' + - fieldName: log.zoneName + pattern: '{{.data}}/' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==609002 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - log.zoneName + where: log.messageId==609002 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==609002 + #......................................................................# + # ASA-6-611305 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient(\s)?\:' + - fieldName: action + pattern: 'DHCP Policy installed' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.primaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.secondaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.primaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.secondaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611305 + #......................................................................# + # ASA-4-733100 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733100 + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: log.messageId==733100 + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.data}}drop' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==733100 + # Cleaning fields + - trim: + function: suffix + substring: 'drop' + fields: + - log.dropSourceObject + where: log.messageId==733100 + - trim: + function: suffix + substring: ']' + fields: + - log.dropSourceObject + where: log.messageId==733100 + - trim: + function: prefix + substring: '[' + fields: + - log.dropSourceObject + where: log.messageId==733100 + #......................................................................# + # ASA-4-733101 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}(targeted|attacking)' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733101 + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: log.messageId==733101 + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.word}}' + - fieldName: log.tmpIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==733101 + # Renaming from or to ip, according to -> if (targeted|attacking) + - rename: + from: + - log.tmpIp + to: origin.ip + where: log.messageId==733101 && action.contains("attacking") + - rename: + from: + - log.tmpIp + to: target.ip + where: log.messageId==733101 && action.contains("targeted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==733101 + #......................................................................# + # ASA-4-733102, 733103 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}host' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733102 || log.messageId==733103 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Threat-detection add host to shun list' + where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "add") + - add: + function: 'string' + params: + key: action + value: 'Threat-detection removes host to shun list' + where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "removes") + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["1", "2", "3"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["5", "6", "7"]) + #......................................................................# + # Adding common geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + # Adding log.mappedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpFrom + destination: log.mappedIpFrom.geolocation + where: exists("log.mappedIpFrom") + # Adding log.mappedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpTo + destination: log.mappedIpTo.geolocation + where: exists("log.mappedIpTo") + # Adding log.translatedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpFrom + destination: log.translatedIpFrom.geolocation + where: exists("log.translatedIpFrom") + # Adding log.translatedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpTo + destination: log.translatedIpTo.geolocation + where: exists("log.translatedIpTo") + # Adding log.globalIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.globalIp + destination: log.globalIp.geolocation + where: exists("log.globalIp") + # Adding log.remoteIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteIp + destination: log.remoteIp.geolocation + where: exists("log.remoteIp") + # Adding log.mappedIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIp + destination: log.mappedIp.geolocation + where: exists("log.mappedIp") + # Adding log.decapsulatedPktDestAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktDestAddr + destination: log.decapsulatedPktDestAddr.geolocation + where: exists("log.decapsulatedPktDestAddr") + # Adding log.decapsulatedPktSrcAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktSrcAddr + destination: log.decapsulatedPktSrcAddr.geolocation + where: exists("log.decapsulatedPktSrcAddr") + # Adding log.localProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localProxyIpAddr + destination: log.localProxyIpAddr.geolocation + where: exists("log.localProxyIpAddr") + # Adding log.remoteProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteProxyIpAddr + destination: log.remoteProxyIpAddr.geolocation + where: exists("log.remoteProxyIpAddr") + # Adding log.primaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryDns + destination: log.primaryDns.geolocation + where: exists("log.primaryDns") + # Adding log.secondaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryDns + destination: log.secondaryDns.geolocation + where: exists("log.secondaryDns") + # Adding log.primaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryWins + destination: log.primaryWins.geolocation + where: exists("log.primaryWins") + # Adding log.secondaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryWins + destination: log.secondaryWins.geolocation + where: exists("log.secondaryWins") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + # Removing unused fields + - delete: + fields: + - log.asaHeader + - log.ciscoSeparator + - log.irrelevant + - log.syslogPri + - log.rest$$ + WHERE id=301; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209005_update_filter_cisco_firepower.xml b/backend/src/main/resources/config/liquibase/changelog/20260209005_update_filter_cisco_firepower.xml new file mode 100644 index 000000000..6cb812581 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209005_update_filter_cisco_firepower.xml @@ -0,0 +1,5160 @@ + + + + + + + Syslog +# +# 1. Parsing the message field containing the Cisco Firepower log +pipeline: + - dataTypes: + - firewall-cisco-firepower + steps: + # Common Firepower fields + - grok: + patterns: + - fieldName: log.syslogPri + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.firePowerHeader + pattern: '{{.data}}FTD-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.firePowerHeader + pattern: '{{.data}}FTD-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + #......................................................................# + # Adding log.localIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + # Removing unwanted prefixes + - trim: + function: prefix + substring: '-' + fields: + - log.messageId + # Field conversions + - cast: + fields: + - log.messageId + to: int + # Begining specific message parsing + #......................................................................# + # FTD-2-106001 + - grok: + patterns: + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'flags' + - fieldName: log.flags + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106001) + + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106001) + #......................................................................# + # FTD-2-106017 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'IP\sdue\sto' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + source: log.msg + where: equals("log.messageId", 106017) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 106017) + #......................................................................# + # FTD-1-106021 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106021) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 106021) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106021) + #......................................................................# + # FTD-2-106101 + - grok: + patterns: + - fieldName: action + pattern: 'Number of cached deny-flows for ACL log has reached limit' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106101) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Number of cached' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 106101) + # Parsing the limit number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.numFlows + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 106101) + # Field conversions + - cast: + fields: + - log.numFlows + to: int + where: equals("log.messageId", 106101) + #......................................................................# + # FTD-6-106102,FTD-4-106103 + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: '/' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: prefix + substring: '(' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: ')' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted") + #......................................................................# + # FTD-6-109101 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA disconnect request' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with\saudit-session-id:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109101) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109101) + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: equals("log.messageId", 109101) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109101) + #......................................................................# + # FTD-4-109102 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ', but cannot find named session' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109102) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109102) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109102) + #......................................................................# + # FTD-3-109103 + - grok: + patterns: + - fieldName: action + pattern: 'CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'failed for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with session ID:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109103) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109103) + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: equals("log.messageId", 109103) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109103) + #......................................................................# + # FTD-109201 to 109213 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'UAUTH(:)? Session(\s|=)' + - fieldName: log.session + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'User(\s|=)' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Assigned IP(\s|=)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + - trim: + function: suffix + substring: ',' + fields: + - log.session + - origin.user + where: lgreaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + #......................................................................# + # FTD-6-113004 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user {{.word}} Successful' + - fieldName: log.irrelevant + pattern: '\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113004) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user {{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113004) + - trim: + function: suffix + substring: ':' + fields: + - target.ip + where: equals("log.messageId", 113004) + - trim: + function: suffix + substring: ',' + fields: + - target.ip + where: equals("log.messageId", 113004) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113004) + #......................................................................# + # FTD-6-113005 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)' + - fieldName: log.reason + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(server|Server)(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113005) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113005) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: equals("log.messageId", 113005) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113005) + #......................................................................# + # FTD-6-113008 + - grok: + patterns: + - fieldName: action + pattern: 'AAA transaction status ACCEPT(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113008) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113008) + #......................................................................# + # FTD-6-113009 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113009) + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: equals("log.messageId", 113009) + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: equals("log.messageId", 113009) + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113009) + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: equals("log.messageId", 113009) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113009) + #......................................................................# + # FTD-6-113010 + - grok: + patterns: + - fieldName: action + pattern: 'AAA challenge received for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}) from server' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113010) + - trim: + function: suffix + substring: 'from server' + fields: + - origin.user + where: equals("log.messageId", 113010) + #......................................................................# + # FTD-6-113011 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113011) + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: equals("log.messageId", 113011) + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: equals("log.messageId", 113011) + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113011) + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: equals("log.messageId", 113011) + #......................................................................# + # FTD-6-113012 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Successful(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113012) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113012) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113012) + #......................................................................# + # FTD-6-113013 + - grok: + patterns: + - fieldName: action + pattern: 'AAA unable to complete the request' + - fieldName: log.irrelevant + pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}\:' + - fieldName: log.irrelevant + pattern: 'user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113013) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + where: equals("log.messageId", 113013) + #......................................................................# + # FTD-6-113014 + - grok: + patterns: + - fieldName: action + pattern: 'AAA authentication server not accessible(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113014) + #......................................................................# + # FTD-6-113015, 113017 + - grok: + patterns: + - fieldName: action + pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - origin.user + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(AAA user authentication|AAA credentials)\s' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + #......................................................................# + # FTD-6-113016 + - grok: + patterns: + - fieldName: action + pattern: 'AAA credentials rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113016) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: equals("log.messageId", 113016) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA credentials' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113016) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113016) + #......................................................................# + # FTD-4-113019 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=(\s)?' + - fieldName: origin.group + pattern: '{{.data}}(\s)?,' + - fieldName: log.irrelevant + pattern: '(U|u)sername(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?,' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: action + pattern: '(\s)?Session disconnected\.' + - fieldName: log.irrelevant + pattern: '(\s)?Session Type:(\s)?' + - fieldName: log.sessionType + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Duration:(\s)?' + - fieldName: log.duration + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes xmt:(\s)?' + - fieldName: origin.bytesSent + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes rcv:(\s)?' + - fieldName: origin.bytesReceived + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Reason:(\s)?' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113019) + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + - log.sessionType + - log.duration + - origin.bytesSent + - origin.bytesReceived + where: equals("log.messageId", 113019) + - cast: + fields: + - origin.bytesSent + - origin.bytesReceived + to: int + where: equals("log.messageId", 113019) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113019) + #......................................................................# + # FTD-113031,113032,113033 + # Common fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?IP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + # Specific fields + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.filter + pattern: '{{.data}}\sis' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'is' + fields: + - log.filter + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + #......................................................................# + # FTD-113034,113035,113036,113038,113039 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '(\<)?{{.data}}(\>)?\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113039) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113035) || log.messageId==113038 + #......................................................................# + # FTD-4-113042 + - grok: + patterns: + - fieldName: action + pattern: 'CoA: Non-HTTP connection from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: log.remoteUser + pattern: '(''{{.data}}''|{{.data}})(\s)?at' + - fieldName: log.remoteIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: 'at' + fields: + - log.remoteUser + where: equals("log.messageId", 113042) + #......................................................................# + # FTD-2-201003 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit exceeded' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.globalIp + pattern: '\({{.data}}\)' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.dstInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 201003) + - trim: + function: prefix + substring: '(' + fields: + - log.globalIp + where: equals("log.messageId", 201003) + - trim: + function: suffix + substring: ')' + fields: + - log.globalIp + where: equals("log.messageId", 201003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 201003) + #......................................................................# + # FTD-4-209003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Fragment database limit of' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'exceeded:(\s)?src(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'dest(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'proto(\s)?=(\s)?' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'id(\s)?=(\s)?' + - fieldName: log.id + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 209003) + - trim: + function: suffix + substring: ',' + fields: + - origin.ip + - target.ip + - protocol + where: equals("log.messageId", 209003) + - cast: + fields: + - log.limit + to: int + where: equals("log.messageId", 209003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 209003) + #......................................................................# + # FTD-3-316001 + - grok: + patterns: + - fieldName: action + pattern: 'Denied new tunnel' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 316001) + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 316001) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 316001) + #......................................................................# + # FTD-3-316002 + - grok: + patterns: + - fieldName: action + pattern: 'VPN Handle error' + - fieldName: log.irrelevant + pattern: '\:(\s)?protocol=' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'src\s' + - fieldName: log.inIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: ',(\s)?dst' + - fieldName: log.outIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 316002) + - trim: + function: suffix + substring: ',' + fields: + - protocol + where: equals("log.messageId", 316002) + - cast: + fields: + - log.inIfNum + - log.outIfNum + to: int + where: equals("log.messageId", 316002) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 316002) + #......................................................................# + # FTD-6-302003,302004 + # First variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.irrelevant + pattern: '(to\s)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: equals("log.messageId", 302003) || log.messageId==302004 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: equals("log.messageId", 302003) || log.messageId==302004 + # Parsing from/to ip and port + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.tmpFromip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpFromip + where: equals("log.messageId", 302003) || log.messageId==302004 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: equals("log.messageId", 302003) || log.messageId==302004 + # Removing temp fields + - delete: + fields: + - log.tmpFromip + - log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302003) || log.messageId==302004 + #......................................................................# + # FTD-6-302012 + - grok: + patterns: + - fieldName: action + pattern: 'Pre-allocate H225 Call Signalling Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '/(\s)?{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to laddr' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302012) + - trim: + function: prefix + substring: '/' + fields: + - origin.port + where: equals("log.messageId", 302012) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302012) + #......................................................................# + # FTD-6-302013 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302013) + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: equals("log.messageId", 302013) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302013) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302013) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302013) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302013) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: equals("log.messageId", 302013) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302013) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302013) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302013) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302013) + #......................................................................# + # FTD-6-302014 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302014) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302014) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302014) + # Parsing AAA user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302014) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302014) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302014) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302014) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302014) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302014) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302014) + #......................................................................# + # FTD-6-302015 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302015) + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.greedy}}' + source: log.tmpDirection + where: equals("log.messageId", 302015) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302015) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302015) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302015) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302015) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: equals("log.messageId", 302015) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302015) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302015) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302015) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302015) + #......................................................................# + # FTD-6-302016 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302016) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302016) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302016) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: equals("log.messageId", 302016) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302016) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302016) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302016) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302016) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302016) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302016) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302016) + #......................................................................# + # FTD-6-302017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302017) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302017) + # Parsing translatedCid and, firewall user to and AAA user if present + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpUserInfo + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 302017) + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302017) + # FW user and AAA user + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + - fieldName: target.user + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: equals("log.messageId", 302017) + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: equals("log.messageId", 302017) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - target.user + - log.translatedCid + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + - target.user + where: equals("log.messageId", 302017) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpUserInfo + where: equals("log.messageId", 302017) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302017) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302017) + #......................................................................# + # FTD-6-302018 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302018) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302018) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302018) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: equals("log.messageId", 302018) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302018) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.translatedCid + where: equals("log.messageId", 302018) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302018) + # Cleaning fields + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302018) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302018) + #......................................................................# + # FTD-6-302020, 302021 + # 302020 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302020) + # 302021 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302021) + # Common parsing for 302020 and 302021 + # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # icmpSeqNum variants + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning icmpSeqNum + - trim: + function: suffix + substring: 'gaddr' + fields: + - log.icmpSeqNum + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302020) || log.messageId==302021 + # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.globalPort + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # icmpType variants + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning icmpType + - trim: + function: suffix + substring: 'laddr' + fields: + - log.icmpType + where: equals("log.messageId", 302020) || log.messageId==302021 + - trim: + function: suffix + substring: 'code' + fields: + - log.icmpType + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with global firewall + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.globalFirewallUser + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserGlobal + where: equals("log.messageId", 302020) || log.messageId==302021 + # For parsing laddr and fwuser to (Begin with ip/port) + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - origin.ip + where: equals("log.messageId", 302020) || log.messageId==302021 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.globalFirewallUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpFwUserGlobal + - log.tmpFaddrAndFwUser + - log.tmpGaddrAndFwUser + - log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302020) || log.messageId==302021 + #......................................................................# + # FTD-6-302022, 302024, 302026 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.role + pattern: '({{.data}})stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortTo + pattern: '\({{.data}}\)' + source: log.msg + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port to, from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Cleaning fields + - trim: + function: suffix + substring: 'stub' + fields: + - log.role + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Removing tmp fields + - delete: + fields: + - log.tmpMappedIpPortFrom + - log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + #......................................................................# + # FTD-6-302023, 302025, 302027 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + #......................................................................# + # FTD-302033,302034 + - grok: + patterns: + - fieldName: action + pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.tmpPortFrom + pattern: '{{.data}}to laddr' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.tmpIpPortTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302033) || log.messageId==302034 + # Parsing optional ports from y to + - grok: + patterns: + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpPortFrom + where: equals("log.messageId", 302033) || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + source: log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302033) || log.messageId==302034 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302033) || log.messageId==302034 + # Remove tmp fields + - delete: + fields: + - log.tmpPortFrom + - log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302033) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 302034) + #......................................................................# + # FTD-6-302303 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302303) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 302303) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302303) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302303) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302303) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302303) + #......................................................................# + # FTD-6-302304 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302304) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 302304) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302304) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302304) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302304) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302304) + #......................................................................# + # FTD-6-305009 + - grok: + patterns: + - fieldName: action + pattern: 'Built (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.mappedIpTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305009) + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305009) + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305009) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305009) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: equals("log.messageId", 305009) + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: equals("log.messageId", 305009) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305009) + #......................................................................# + # FTD-6-305010 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: equals("log.messageId", 305010) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305010) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: equals("log.messageId", 305010) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305010) + #......................................................................# + # FTD-6-305011 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 305011) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305011) + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305011) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: equals("log.messageId", 305011) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + where: equals("log.messageId", 305011) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305011) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 305011) + #......................................................................# + # FTD-6-305012 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: equals("log.messageId", 305012) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305012) + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305012) + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + # Parsing srcInterface from himself to avoid parsing issues + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.srcInterface + where: equals("log.messageId", 305012) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: equals("log.messageId", 305012) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305012) + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: equals("log.messageId", 305012) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 305012) + #......................................................................# + # FTD-3-322001 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sMAC\saddress' + - fieldName: log.localMac + pattern: '{{.data}}(\s)?,' + - fieldName: log.reason + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322001) + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 322001) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.localMac + where: equals("log.messageId", 322001) + - trim: + function: suffix + substring: 'on' + fields: + - log.reason + where: equals("log.messageId", 322001) + #......................................................................# + # FTD-3-322002 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.boudSrcMac + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322002) + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: equals("log.messageId", 322002) + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 322002) + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: equals("log.messageId", 322002) + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: equals("log.messageId", 322002) + #......................................................................# + # FTD-3-322003 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322003) + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: equals("log.messageId", 322003) + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 322003) + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: equals("log.messageId", 322003) + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: equals("log.messageId", 322003) + #......................................................................# + # FTD-4-402114 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402114) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402114) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402114) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + where: equals("log.messageId", 402114) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402114) + #......................................................................# + # FTD-4-402115 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\sa\spacket' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'containing' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'data instead of' + - fieldName: log.expectedProtocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402115) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402115) + #......................................................................# + # FTD-4-402116 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktDestAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktSrcAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktProto + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.localProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.localProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.localProxyProto + pattern: '{{.data}}/' + - fieldName: log.localProxyPort + pattern: '{{.data}}and' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.remoteProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.remoteProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.remoteProxyProto + pattern: '{{.data}}/' + - fieldName: log.remoteProxyPort + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402116) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402116) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: '/' + fields: + - log.localProxyIpAddr + - log.localProxyIpMask + - log.localProxyProto + - log.remoteProxyIpAddr + - log.remoteProxyIpMask + - log.remoteProxyPort + - log.remoteProxyProto + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: 'and' + fields: + - log.localProxyPort + where: equals("log.messageId", 402116) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402116) + #......................................................................# + # FTD-4-402117 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402117) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received a non-IPsec \(' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402117) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402117) + #......................................................................# + # FTD-4-402118 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}length' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'with offset' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 402118) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402118) + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402118) + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402118) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402118) + #......................................................................# + # FTD-4-402119, 402120 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402119) || log.messageId==402120 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402119) || log.messageId==402120 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402119) || log.messageId==402120 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402119) || log.messageId==402120 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402119) || log.messageId==402120 + #......................................................................# + # FTD-5-402128 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CRYPTO\:(\s)?' + - fieldName: action + pattern: 'An attempt to allocate a large memory block' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memorySize + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memoryLimit + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 402128) + #......................................................................# + # FTD-4-405001 + - grok: + patterns: + - fieldName: action + pattern: 'Received ARP (request|response) collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}with' + - fieldName: log.irrelevant + pattern: 'existing ARP entry' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.mac + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 405001) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ARP' + where: equals("log.messageId", 405001) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 405001) + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 405001) + - trim: + function: suffix + substring: 'with' + fields: + - log.srcInterface + where: equals("log.messageId", 405001) + #......................................................................# + # FTD-4-405002 + - grok: + patterns: + - fieldName: action + pattern: 'Received mac mismatch collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 405002) + # Cleaning fields + - trim: + function: suffix + substring: 'for' + fields: + - origin.mac + where: equals("log.messageId", 405002) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: equals("log.messageId", 405002) + #......................................................................# + # FTD-4-406001 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command low port(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 406001) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: equals("log.messageId", 406001) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: equals("log.messageId", 406001) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: equals("log.messageId", 406001) + #......................................................................# + # FTD-4-406002 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command different address(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.connectionIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '(\s)?\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 406002) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: equals("log.messageId", 406002) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: equals("log.messageId", 406002) + #......................................................................# + # FTD-4-407002 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit {{.data}} for through connections exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}\.' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '(\s)?\)(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 407002) + # Connection number and connection limit + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Embryonic limit' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 407002) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 407002) + #......................................................................# + # FTD-6-605004 + - grok: + patterns: + - fieldName: action + pattern: 'Login\s{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.service + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'user' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 605004) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Login' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + source: action + where: equals("log.messageId", 605004) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 605004) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: 'for' + fields: + - log.service + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: equals("log.messageId", 605004) + - trim: + function: prefix + substring: '"' + fields: + - origin.user + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: '"' + fields: + - origin.user + where: equals("log.messageId", 605004) + #......................................................................# + # FTD-2-106018 + - grok: + patterns: + - fieldName: action + pattern: 'ICMP packet' + - fieldName: log.irrelevant + pattern: 'type' + - fieldName: log.icmpType + pattern: '{{.data}}\s' + - fieldName: log.ciscoResult + pattern: 'denied' + - fieldName: log.irrelevant + pattern: 'by' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'list' + - fieldName: log.accessList + pattern: '{{.data}}src' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'dest' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106018) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ICMP' + where: equals("log.messageId", 106018) + # Cleaning fields + - trim: + function: suffix + substring: 'src' + fields: + - log.accessList + where: equals("log.messageId", 106018) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106018) + #......................................................................# + # FTD-2-106020 + - grok: + patterns: + - fieldName: action + pattern: 'Deny IP teardrop fragment' + - fieldName: log.irrelevant + pattern: '\((\s)?size(\s)?=' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',(\s)?offset(\s)?=' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)(\s)?from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106020) + # Adding log.ciscoResult + - add: + function: 'string' + params: + key: log.ciscoResult + value: 'Denied' + where: equals("log.messageId", 106020) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106020) + #......................................................................# + # FTD-6-611301 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with no split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611301) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611301) + #......................................................................# + # FTD-6-611303 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611303) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611303) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 611303) + #......................................................................# + # FTD-6-611304 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT exemption configured for Network Extension Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611304) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611304) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 611304) + #......................................................................# + # FTD-6-611307 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Head end\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611307) + # Adding action and log.ciscoResult + - add: + function: 'string' + params: + key: action + value: 'The VPN client is connected to the specified headend' + where: equals("log.messageId", 611307) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611307) + #......................................................................# + # FTD-6-611309 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'Disconnecting from head end and uninstalling previously downloaded policy' + - fieldName: log.irrelevant + pattern: '{{.data}}End\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611309) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611309) + #......................................................................# + # FTD-6-611310,611311 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'XAUTH' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?Peer(\s)?\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611310) || log.messageId==611311 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611310) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 611311) + #......................................................................# + # FTD-6-611314 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}server' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611314) + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Load Balancing Cluster redirected the Secure Firewall' + where: equals("log.messageId", 611314) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611314) + #......................................................................# + # FTD-6-611315 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611315) + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Disconnecting from Load Balancing Cluster' + where: equals("log.messageId", 611315) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611315) + #......................................................................# + # FTD-6-611318 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'User Authentication Enabled' + - fieldName: log.irrelevant + pattern: '{{.data}}IP(\s)?\:' + - fieldName: log.authServerIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Port(\s)?\:' + - fieldName: log.authServerPort + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}out(\s)?\:' + - fieldName: log.timeOut + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611318) + #......................................................................# + # FTD-3-710003 + - grok: + patterns: + - fieldName: action + pattern: '(TCP|UDP) access denied by ACL' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 710003) + # Protocol and log.ciscoResult + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 710003) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 710003) + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: equals("log.messageId", 710003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 710003) + #......................................................................# + # FTD-5-713252,713253 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Username(\s)?=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}available(\.)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 713252) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 713253) + #......................................................................# + # FTD-6-716001,716002,716003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716001) || log.messageId==716002 + #......................................................................# + # FTD-6-716004,716005,716006,716007,716009 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 716004) || log.messageId==716007 || log.messageId==716009 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716006) + #......................................................................# + # FTD-6-716038 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716038) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716038) + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716038) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: ',' + fields: + - action + where: equals("log.messageId", 716038) + #......................................................................# + # FTD-6-716039 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716039) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 716039) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - action + - origin.user + where: equals("log.messageId", 716039) + - trim: + function: suffix + substring: 'user' + fields: + - origin.group + where: equals("log.messageId", 716039) + #......................................................................# + # FTD-6-719017,719019,719020,719021,719022,719023 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + # Adding log.ciscoResult and modifying some actions + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 719019) || log.messageId==719023 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 719020) || log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user is not checked against ACL' + where: equals("log.messageId", 719021) + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has been authenticated' + where: equals("log.messageId", 719022) + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has not been authenticated' + where: equals("log.messageId", 719023) + # Cleaning fields + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + #......................................................................# + # FTD-6-719018 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'ACL ID' + - fieldName: log.accessList + pattern: '{{.data}}not' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719018) + # Cleaning fields + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719018) + - trim: + function: suffix + substring: 'not' + fields: + - log.accessList + where: equals("log.messageId", 719018) + #......................................................................# + # FTD-6-719024 + - grok: + patterns: + - fieldName: action + pattern: 'Email Proxy piggyback auth fail' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.sessionPointer + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}}addr' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719024) + # Cleaning fields + - trim: + function: suffix + substring: 'user' + fields: + - log.sessionPointer + where: equals("log.messageId", 719024) + - trim: + function: suffix + substring: 'addr' + fields: + - origin.user + where: equals("log.messageId", 719024) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 719024) + #......................................................................# + # FTD-7-609002 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown local-host' + - fieldName: log.zoneName + pattern: '{{.data}}/' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 609002) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - log.zoneName + where: equals("log.messageId", 609002) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 609002) + #......................................................................# + # FTD-6-611305 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient(\s)?\:' + - fieldName: action + pattern: 'DHCP Policy installed' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.primaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.secondaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.primaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.secondaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611305) + #......................................................................# + # FTD-4-733100 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733100) + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: equals("log.messageId", 733100) + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.data}}drop' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 733100) + # Cleaning fields + - trim: + function: suffix + substring: 'drop' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + - trim: + function: suffix + substring: ']' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + - trim: + function: prefix + substring: '[' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + #......................................................................# + # FTD-4-733101 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}(targeted|attacking)' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733101) + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: equals("log.messageId", 733101) + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.word}}' + - fieldName: log.tmpIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 733101) + # Renaming from or to ip, according to -> if (targeted|attacking) + - rename: + from: + - log.tmpIp + to: origin.ip + where: equals("log.messageId", 733101) && action.contains("attacking") + - rename: + from: + - log.tmpIp + to: target.ip + where: equals("log.messageId", 733101) && action.contains("targeted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 733101) + #......................................................................# + # FTD-4-733102, 733103 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}host' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733102) || log.messageId==733103 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Threat-detection add host to shun list' + where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("add") + - add: + function: 'string' + params: + key: action + value: 'Threat-detection removes host to shun list' + where: (equals("log.messageId", 733102) || log.messageId==733103) && log.msg.contains("removes") + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: log.severity=="1" || log.severity=="2" || log.severity=="3" + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: log.severity=="5" || log.severity=="6" || log.severity=="7" + #......................................................................# + # Adding common geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + # Adding log.mappedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpFrom + destination: log.mappedIpFrom.geolocation + where: exists("log.mappedIpFrom") + # Adding log.mappedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpTo + destination: log.mappedIpTo.geolocation + where: exists("log.mappedIpTo") + # Adding log.translatedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpFrom + destination: log.translatedIpFrom.geolocation + where: exists("log.translatedIpFrom") + # Adding log.translatedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpTo + destination: log.translatedIpTo.geolocation + where: exists("log.translatedIpTo") + # Adding log.globalIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.globalIp + destination: log.globalIp.geolocation + where: exists("log.globalIp") + # Adding log.remoteIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteIp + destination: log.remoteIp.geolocation + where: exists("log.remoteIp") + # Adding log.mappedIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIp + destination: log.mappedIp.geolocation + where: exists("log.mappedIp") + # Adding log.decapsulatedPktDestAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktDestAddr + destination: log.decapsulatedPktDestAddr.geolocation + where: exists("log.decapsulatedPktDestAddr") + # Adding log.decapsulatedPktSrcAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktSrcAddr + destination: log.decapsulatedPktSrcAddr.geolocation + where: exists("log.decapsulatedPktSrcAddr") + # Adding log.localProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localProxyIpAddr + destination: log.localProxyIpAddr.geolocation + where: exists("log.localProxyIpAddr") + # Adding log.remoteProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteProxyIpAddr + destination: log.remoteProxyIpAddr.geolocation + where: exists("log.remoteProxyIpAddr") + # Adding log.primaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryDns + destination: log.primaryDns.geolocation + where: exists("log.primaryDns") + # Adding log.secondaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryDns + destination: log.secondaryDns.geolocation + where: exists("log.secondaryDns") + # Adding log.primaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryWins + destination: log.primaryWins.geolocation + where: exists("log.primaryWins") + # Adding log.secondaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryWins + destination: log.secondaryWins.geolocation + where: exists("log.secondaryWins") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + # Removing unused fields + - delete: + fields: + - log.firePowerHeader + - log.ciscoSeparator + - log.irrelevant + - log.syslogPri + - log.rest$$ + WHERE id=303; + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209006_update_filter_cisco_switch.xml b/backend/src/main/resources/config/liquibase/changelog/20260209006_update_filter_cisco_switch.xml new file mode 100644 index 000000000..cd3afe4d9 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209006_update_filter_cisco_switch.xml @@ -0,0 +1,180 @@ + + + + + + + Syslog +# +# 1. Parsing the message field +pipeline: + - dataTypes: + - cisco-switch + steps: + # Header fields + - grok: + patterns: + - fieldName: log.switchHeader + pattern: '{{.data}}%' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.irrelevant + pattern: '{{.integer}}(\s)?\:' + - fieldName: log.ciscoTime + pattern: '{{.greedy}}' + source: log.switchHeader + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.monthName}}{{.greedy}}' + source: log.switchHeader + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.monthName}}{{.greedy}}' + source: log.switchHeader + #......................................................................# + # Beginning message parsing + # Variant -> %FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text + - grok: + patterns: + - fieldName: log.facility + pattern: '{{.data}}-' + - fieldName: log.severity + pattern: '{{.data}}{{.integer}}' + - fieldName: log.facilityMnemonic + pattern: '{{.data}}\:' + - fieldName: log.ciscoMsg + pattern: '{{.greedy}}' + source: log.msg + where: '(log.msg.contains("-MSG:SLOT") == false) && (log.msg.contains("-MSG: SLOT") == false)' + # Extracting subfacility if present + - grok: + patterns: + - fieldName: log.subFacility + pattern: '{{.greedy}}-' + - fieldName: log.severity + pattern: '{{.integer}}' + source: log.severity + where: '(log.msg.contains("-MSG:SLOT") == false) && (log.msg.contains("-MSG: SLOT") == false)' + # -------------------------- + # Variant -> %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text + - grok: + patterns: + - fieldName: log.card + pattern: '{{.data}}-' + - fieldName: log.irrelevant + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.slot + pattern: 'SLOT{{.integer}}' + - fieldName: log.tmpFacilityMnemonic + pattern: '{{.data}}\:' + - fieldName: log.ciscoMsg + pattern: '{{.greedy}}' + source: log.msg + where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")' + + - trim: + function: prefix + substring: '%' + fields: + - log.tmpFacilityMnemonic + where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")' + # %FACILITY-SEVERITY-MNEMONIC + - grok: + patterns: + - fieldName: log.facility + pattern: '{{.data}}-' + - fieldName: log.severity + pattern: '{{.data}}{{.integer}}' + - fieldName: log.facilityMnemonic + pattern: '{{.data}}\:' + source: log.tmpFacilityMnemonic + where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")' + # Extracting subfacility if present + - grok: + patterns: + - fieldName: log.subFacility + pattern: '{{.greedy}}-' + - fieldName: log.severity + pattern: '{{.integer}}' + source: log.severity + where: 'log.msg.contains("-MSG:SLOT") || log.msg.contains("-MSG: SLOT")' + + # Cleaning common fields + - trim: + function: suffix + substring: '-' + fields: + - log.facility + - log.subFacility + - log.card + - trim: + function: suffix + substring: '%' + fields: + - log.ciscoTime + - trim: + function: suffix + substring: ':' + fields: + - log.facilityMnemonic + - log.ciscoTime + - trim: + function: prefix + substring: '-' + fields: + - log.facilityMnemonic + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["0", "1", "2", "3"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["5", "6", "7"]) + #......................................................................# + # Removing unused fields + - delete: + fields: + - log.switchHeader + - log.irrelevant + - log.tmpFacilityMnemonic$$ + WHERE id=1510; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209007_update_filter_deceptive_bytes.xml b/backend/src/main/resources/config/liquibase/changelog/20260209007_update_filter_deceptive_bytes.xml new file mode 100644 index 000000000..79b8fc579 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209007_update_filter_deceptive_bytes.xml @@ -0,0 +1,518 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.notDefined + pattern: '{{.integer}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:' + - fieldName: log.userWithTrash + pattern: '{{.data}}CEF' + - fieldName: log.1trash + pattern: '\:{{.integer}}' + - fieldName: log.messageWithTrash + pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:' + - fieldName: log.userWithTrash + pattern: '{{.data}}CEF' + - fieldName: log.1trash + pattern: '\:{{.integer}}' + - fieldName: log.messageWithTrash + pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.user + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.userWithTrash + + - grok: + patterns: + - fieldName: log.message + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.restMessageToKv + pattern: '{{.greedy}}' + source: log.messageWithTrash + + # Parsing the common fields + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '\[{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '{{.monthDay}}-{{.monthNumber}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + # Parse the restMessage field from the rest of the common fields + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,\-' + - fieldName: log.eventType + pattern: '\,{{.integer}}' + - fieldName: log.eventSource + pattern: '\,{{.word}}' + - fieldName: log.processName + pattern: '\,{{.integer}}' + - fieldName: log.processPath + pattern: '\,{{.word}}' + - fieldName: log.platform + pattern: '\,{{.data}}\,' + - fieldName: origin.path + pattern: '{{.greedy}}\,' + - fieldName: command + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,{{.data}}\,' + - fieldName: log.eventType + pattern: '{{.integer}}' + - fieldName: log.eventSource + pattern: '\,\-' + - fieldName: log.processName + pattern: '\,{{.word}}\.{{.word}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,{{.data}}\,' + - fieldName: log.eventType + pattern: '{{.integer}}' + - fieldName: log.eventSource + pattern: '\,\-\,' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.errorCode + pattern: '{{.integer}}\]' + - fieldName: log.restDataMessage + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.errorCode + pattern: '{{.integer}}\]' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restMessage + where: log.restMessage.contains("file") + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.errorCode + pattern: '{{.integer}}\]\s' + - fieldName: origin.path + pattern: '(?:[A-Z]:\\(?:[^\\\n]+\\)*[^\\\n]*|\/(?:[^\/\n]+\/)*[^\/\n]*)' + source: log.restMessage + where: log.severityLabelCharacter.contains("V") + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.processId + pattern: '{{.integer}}\,' + - fieldName: log.trheadId + pattern: '{{.integer}}\s' + - fieldName: log.methodName + pattern: '\:\:{{.data}}\,' + - fieldName: log.returnCode + pattern: '{{.integer}}\]\s' + - fieldName: log.detailedMessage + pattern: '\({{.data}}\)' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.processId + pattern: '{{.integer}}\,' + - fieldName: log.trheadId + pattern: '{{.integer}}\s' + - fieldName: log.methodName + pattern: '{{.data}}\:\:{{.data}}\,' + - fieldName: log.returnCode + pattern: '{{.integer}}\]\s' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '\[{{.data}}\]' + - fieldName: log.processId + pattern: '\[{{.integer}}\/' + - fieldName: log.trheadId + pattern: '{{.data}}\]:?\s' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restMessage + + # Using kv for the rest of the trash in the message + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restMessageToKv + + # Using grok to analyze the rest of the data + - grok: + patterns: + - fieldName: log.productVendor + pattern: '\|{{.data}}\|' + - fieldName: log.product + pattern: '{{.data}}\|' + - fieldName: log.productVersion + pattern: '{{.data}}\|' + - fieldName: log.signatureID + pattern: '{{.data}}\|' + - fieldName: log.eventType + pattern: '{{.data}}\|' + - fieldName: log.severity + pattern: '{{.data}}\|' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.pidStatusToKv + pattern: '\[{{.data}}\]' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restDataMessage + + - grok: + patterns: + - fieldName: log.0trash + pattern: '{{.data}}PID=' + - fieldName: log.pid + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: raw + where: log.severityLabelCharacter.contains("W") + + # Removing unnecessary characters + - trim: + function: prefix + substring: '|' + fields: + - log.productVendor + + - trim: + function: suffix + substring: '|' + fields: + - log.productVendor + - log.product + - log.productVersion + - log.signatureID + - log.eventType + - log.severity + + - trim: + function: suffix + substring: ':' + fields: + - log.trheadId + + - trim: + function: suffix + substring: '/' + fields: + - log.processId + + - trim: + function: prefix + substring: '<' + fields: + - log.syslogPriority + + - trim: + function: suffix + substring: '>' + fields: + - log.syslogPriority + + - trim: + function: prefix + substring: ',' + fields: + - log.trheadId + - log.processId + - log.eventType + - log.eventSource + - log.processName + - log.processPath + - log.platform + - origin.path + + - trim: + function: suffix + substring: ',' + fields: + - log.trheadId + - log.component + - log.platform + - origin.path + - log.eventSource + - log.processId + - log.methodName + + - trim: + function: prefix + substring: '"' + fields: + - command + + - trim: + function: suffix + substring: '"' + fields: + - command + + - trim: + function: prefix + substring: '[' + fields: + - log.eventTime + - log.processId + - log.severityLabelCharacter + + - trim: + function: suffix + substring: ']' + fields: + - log.status + - log.errorCode + - log.returnCode + - log.severityLabelCharacter + - log.trheadId + + # Using the kv filter with default config, usefull in key-value logs + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restData + + # Using the kv filter with other config, usefull in key-value logs + - kv: + fieldSplit: ", " + valueSplit: "=" + source: log.pidStatusToKv + + # Adding severity based on log.severityLabelCharacter + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severityLabelCharacter", ["C", "A", "E"]) + + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: equals("log.severityLabelCharacter", "W") + + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severityLabelCharacter", ["D", "V", "N", "I", "T"]) + + # Removing unused fields + - delete: + fields: + - log.0trash + - log.1trash + - log.restData + - log.restMessage + - log.restDataMessage + - log.irrelevant + - log.messageWithTrash + - log.restMessageToKv + - log.pidStatusToKv + - log.userWithTrash + - log.severityLabelCharacter$$ + WHERE id=1512; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209008_update_filter_elasticsearch.xml b/backend/src/main/resources/config/liquibase/changelog/20260209008_update_filter_elasticsearch.xml new file mode 100644 index 000000000..7d3d19580 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209008_update_filter_elasticsearch.xml @@ -0,0 +1,442 @@ + + + + + + + fileset: datatype +# server: plain text, json +# audit: plain text, json +# 1. Parsing the json from beats +# 2. Parsing the message field containing the elasticsearch log +pipeline: + - dataTypes: + - elasticsearch + steps: + - json: + source: raw + - rename: + from: + - log.url + to: origin.url + - rename: + from: + - log.log.file.path + to: origin.file + - rename: + from: + - log.host.ip + to: log.local.ips + - rename: + from: + - log.host.mac + to: log.local.macs + - rename: + from: + - log.host.hostname + to: origin.host + - rename: + from: + - log.event.dataset + to: log.eventDataset + - rename: + from: + - log.agent.version + to: log.agentVersion + - rename: + from: + - log.host.os.kernel + to: log.osVersion + - rename: + from: + - log.host.os.type + to: log.osType + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + - cast: + to: '[]string' + fields: + - log.local.ips + - cast: + to: '[]string' + fields: + - log.local.macs + - grok: + patterns: + - fieldName: deviceTime + pattern: '\[{{.data}}\]' + - fieldName: log.level + pattern: '\[{{.data}}\]' + - fieldName: log.component + pattern: '\[{{.data}}\]' + - fieldName: log.nodeName + pattern: '\[{{.data}}\]' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + - trim: + function: prefix + substring: '[' + fields: + - deviceTime + - log.level + - log.component + - log.nodeName + where: exists("log.msg") + - trim: + function: suffix + substring: ']' + fields: + - deviceTime + - log.level + - log.component + - log.nodeName + where: exists("log.msg") + - reformat: + fields: + - deviceTime + function: time + fromFormat: '2022-01-20T22:52:07,431' + toFormat: '2024-09-23T15:57:40.338364445Z' + where: exists("deviceTime") + # Begin parsing when message comes in json format + - json: + source: log.message + where: exists("log.msg") + # Performing json step over the remaining message field (Cases when log.message has a message field inside) + - json: + source: log.message + where: exists("log.message") + # Rename audit fields from json + - rename: + from: + - log.audit_format_version + to: log.auditFormatVersion + where: exists("log.audit_format_version") + - rename: + from: + - log.audit_category + to: action + where: exists("log.audit_category") + - rename: + from: + - log.audit_node_host_address + to: log.auditNodeHostAddress + where: exists("log.audit_node_host_address") + - rename: + from: + - log.audit_node_host_name + to: log.auditNodeHostName + where: exists("log.audit_node_host_name") + - rename: + from: + - log.audit_request_layer + to: log.auditRequestLayer + where: exists("log.audit_request_layer") + - rename: + from: + - log.audit_request_origin + to: log.auditRequestOrigin + where: exists("log.audit_request_origin") + - rename: + from: + - log.audit_request_effective_user_is_admin + to: log.auditRequestEffectiveUserIsAdmin + where: exists("log.audit_request_effective_user_is_admin") + - rename: + from: + - log.audit_request_effective_user + to: log.auditRequestEffectiveUser + where: exists("log.audit_request_effective_user") + - rename: + from: + - log.audit_rest_request_path + to: log.auditRestRequestPath + where: exists("log.audit_rest_request_path") + - rename: + from: + - log.audit_rest_request_params + to: log.auditRestRequestParams + where: exists("log.audit_rest_request_params") + - rename: + from: + - log.audit_rest_request_headers + to: log.auditRestRequestHeaders + where: exists("log.audit_rest_request_headers") + - rename: + from: + - log.audit_request_initiating_user + to: log.auditRequestInitiatingUser + where: exists("log.audit_request_initiating_user") + - rename: + from: + - log.audit_request_body + to: log.auditRequestBody + where: exists("log.audit_request_body") + - rename: + from: + - log.audit_rest_request_method + to: log.auditRestRequestMethod + where: exists("log.audit_rest_request_method") + - rename: + from: + - log.audit_request_exception_stacktrace + to: log.auditRequestExceptionStacktrace + where: exists("log.audit_request_exception_stacktrace") + - rename: + from: + - log.audit_trace_task_id + to: log.auditTraceTaskId + where: exists("log.audit_trace_task_id") + - rename: + from: + - log.audit_transport_headers + to: log.auditTransportHeaders + where: exists("log.audit_transport_headers") + - rename: + from: + - log.audit_transport_request_type + to: log.auditTransportRequestType + where: exists("log.audit_transport_request_type") + - rename: + from: + - log.audit_trace_indices + to: log.auditTraceIndices + where: exists("log.audit_trace_indices") + - rename: + from: + - log.audit_trace_resolved_indices + to: log.auditTraceResolvedIndices + where: exists("log.audit_trace_resolved_indices") + - rename: + from: + - log.audit_trace_doc_types + to: log.auditTraceDocTypes + where: exists("log.audit_trace_doc_types") + - rename: + from: + - log.audit_trace_task_parent_id + to: log.auditTraceTaskParentId + where: exists("log.audit_trace_task_parent_id") + - rename: + from: + - log.audit_request_privilege + to: log.auditRequestPrivilege + where: exists("log.audit_request_privilege") + - rename: + from: + - log.audit_compliance_operation + to: log.auditComplianceOperation + where: exists("log.audit_compliance_operation") + - rename: + from: + - log.node.id + - log.audit_node_id + to: log.nodeId + where: exists("log.node.id") || exists("log.audit_node_id") + - rename: + from: + - log.node.name + - log.audit_node_name + to: log.nodeName + where: exists("log.node.name") || exists("log.node.name") + - rename: + from: + - log.cluster.name + - log.audit_cluster_name + to: log.clusterName + where: exists("log.cluster.name") || exists("log.audit_cluster_name") + - rename: + from: + - log.cluster.uuid + to: log.clusterUuid + where: exists("log.cluster.uuid") + # Adding fields from elastic audit json file + - rename: + from: + - log.event.type + to: log.eventType + where: exists("log.event.type") + - rename: + from: + - log.event.action + to: action + where: exists("log.event.action") + - rename: + from: + - log.request.id + to: log.requestId + where: exists("log.request.id") + # Extracting ip and port from address + - grok: + patterns: + - fieldName: log.origin.address + pattern: '(.*)\:' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.origin.address + where: exists("log.origin.address") + # Cleaning ip address if has port + - trim: + function: suffix + substring: ':' + fields: + - log.origin.address + where: exists("log.origin.address") + - rename: + from: + - log.origin.address + to: origin.ip + where: exists("log.origin.address") + # Adding geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + # Port field conversion + - cast: + fields: + - origin.port + to: int + where: exists("origin.port") + - rename: + from: + - log.origin.type + to: log.originType + where: exists("log.origin.type") + - rename: + from: + - log.url.path + to: origin.url + where: exists("log.url.path") + - rename: + from: + - log.url.query + to: log.urlQuery + where: exists("log.url.query") + - rename: + from: + - log.request.method + to: log.method + where: exists("log.request.method") + - rename: + from: + - log.transport_profile + to: log.transportProfile + where: exists("log.transport_profile") + - rename: + from: + - log.user.name + to: origin.user + where: exists("log.user.name") + - rename: + from: + - log.user.realm + to: log.userRealm + where: exists("log.user.realm") + - rename: + from: + - log.user.run_by.name + to: log.userRunByName + where: exists("log.user.run_by.name") + - rename: + from: + - log.authentication.type + to: log.authenticationType + where: exists("log.authentication.type") + - rename: + from: + - log.apikey.name + to: log.apikeyName + where: exists("log.apikey.name") + - rename: + from: + - log.user.roles + to: log.userRoles + where: exists("log.user.roles") + - rename: + from: + - log.user.run_as.name + to: log.userRunAsName + where: exists("log.user.run_as.name") + - rename: + from: + - log.user.run_as.name + to: log.userRunAsName + where: exists("log.user.run_as.name") + # Casting new fields after json parsing + - cast: + to: '[]string' + fields: + - log.auditTraceIndices + - log.auditTraceResolvedIndices + - log.indices + - log.userRoles + # Adding severity based on log.level + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: oneOf("log.level", ["WARN", "Warning"]) + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"]) + + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.agent + - log.host + - log.event + - log.ecs + - log.log + - log.fileset + - log.cluster + - log.node + - log.opaque_id + - log.trace_id + - log.x_forwarded_for + - log.request + - log.url + - log.user + - log.apikey + - log.authentication + - log.origin + + # Droping unwanted logs + - drop: + where: exists("log.eventDataset") && exists("log.component") && ( (!equals("log.eventDataset", "elasticsearch.server") && !equals("log.eventDataset", "elasticsearch.audit")) || (equals("log.eventDataset", "elasticsearch.server") && (!equalsIgnoreCase("log.component", "audit") && !equalsIgnoreCase("log.component", "ssl") && !equalsIgnoreCase("log.component", "security") ) ) )$$ + WHERE id=1410; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209009_update_filter_google.xml b/backend/src/main/resources/config/liquibase/changelog/20260209009_update_filter_google.xml new file mode 100644 index 000000000..b66bf7a7b --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209009_update_filter_google.xml @@ -0,0 +1,430 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209010_update_filter_iis.xml b/backend/src/main/resources/config/liquibase/changelog/20260209010_update_filter_iis.xml new file mode 100644 index 000000000..796c9da71 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209010_update_filter_iis.xml @@ -0,0 +1,205 @@ + + + + + + + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209011_update_filter_kafka.xml b/backend/src/main/resources/config/liquibase/changelog/20260209011_update_filter_kafka.xml new file mode 100644 index 000000000..6121b8c0f --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209011_update_filter_kafka.xml @@ -0,0 +1,192 @@ + + + + + + + fileset: datatype +# log: plain text +# +# Compatible any of Kafka logs +# like: Server, Controller, Log-cleaner and so on +# +# Documentations +# 1- https://kafka.apache.org/documentation/ +# 2- https://www.elastic.co/guide/en/beats/filebeat/7.13/exported-fields-kafka.html +# +# Implementation +# 1. Parsing the json from beats +# 2. Parsing the message field containing the apache log +pipeline: + - dataTypes: + - kafka + steps: + - json: + source: raw + + # Parse beats field + - rename: + from: + - log.url + to: origin.url + + - rename: + from: + - log.log.file.path + to: origin.file + + - rename: + from: + - log.host.ip + to: log.origin.ips + + - rename: + from: + - log.host.mac + to: log.origin.macs + + - rename: + from: + - log.host.hostname + to: origin.host + + - rename: + from: + - log.event.dataset + to: action + + - rename: + from: + - log.agent.version + to: log.agentVersion + + - rename: + from: + - log.host.os.kernel + to: log.osVersion + + - rename: + from: + - log.host.os.type + to: log.osType + + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + + # Fields conversions + - cast: + to: '[]string' + fields: + - log.origin.ips + - cast: + to: '[]string' + fields: + - log.origin.macs + + #Parse message field in plain text format + # Logs Kafka parsing + - grok: + patterns: + - fieldName: log.deviceTime + pattern: '\[{{.data}}\]' + - fieldName: log.severity + pattern: '{{.word}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: log.message + + # Logs Server Kafka parsing + - grok: + patterns: + - fieldName: log.msg + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.class + pattern: '\({{.greedy}}\)' + source: log.restData + + # Logs Controller Kafka parsing + - grok: + patterns: + - fieldName: log.component + pattern: '\[{{.data}}\](\:|\,)?' + - fieldName: log.msg + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.class + pattern: '\({{.greedy}}\)' + source: log.restData + + # Removing unused caracters + - trim: + function: prefix + substring: '[' + fields: + - log.deviceTime + - log.component + - trim: + function: suffix + substring: ']' + fields: + - log.deviceTime + - log.component + - trim: + function: prefix + substring: '(' + fields: + - log.class + - trim: + function: suffix + substring: ')' + fields: + - log.class + + # Adding severity field based on log.severity + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["INFO", "TRACE", "DEBUG"]) + + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: oneOf("log.severity", ["WARNING", "WARN"]) + + - add: + function: 'string' + params: + key: severity + value: 'high' + where: equals("log.severity", "ERROR") + + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.log.offset + - log.agent + - log.host + - log.event + - log.ecs + - log.log.file + - log.log + - log.restData$$ + WHERE id=1409; + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209012_update_filter_kibana.xml b/backend/src/main/resources/config/liquibase/changelog/20260209012_update_filter_kibana.xml new file mode 100644 index 000000000..bba81363b --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209012_update_filter_kibana.xml @@ -0,0 +1,200 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209013_update_filter_logstash.xml b/backend/src/main/resources/config/liquibase/changelog/20260209013_update_filter_logstash.xml new file mode 100644 index 000000000..e9db023be --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209013_update_filter_logstash.xml @@ -0,0 +1,159 @@ + + + + + + + fileset: datatype +# log: plain text +# 1. Parsing the json from beats +# 2. Parsing the message field containing the logstash log +pipeline: + - dataTypes: + - logstash + steps: + - json: + source: raw + - rename: + from: + - log.url + to: origin.url + - rename: + from: + - log.log.file.path + to: origin.file + - rename: + from: + - log.host.ip + to: log.local.ips + - rename: + from: + - log.host.mac + to: log.local.macs + - rename: + from: + - log.host.hostname + to: origin.host + - rename: + from: + - log.event.dataset + to: action + - rename: + from: + - log.agent.version + to: log.agentVersion + - rename: + from: + - log.host.os.kernel + to: log.osVersion + - rename: + from: + - log.host.os.type + to: log.osType + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + - cast: + to: '[]string' + fields: + - log.local.ips + - cast: + to: '[]string' + fields: + - log.local.macs + # Parsing common log parts + - grok: + patterns: + - fieldName: deviceTime + pattern: '\[{{.data}}\]' + - fieldName: log.level + pattern: '\[{{.data}}\]' + - fieldName: log.component + pattern: '\[{{.data}}\]' + - fieldName: log.pipelineName + pattern: '^(\[{{.data}}\])' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + # Parsing when pipeline is not present + - grok: + patterns: + - fieldName: deviceTime + pattern: '\[{{.data}}\]' + - fieldName: log.level + pattern: '\[{{.data}}\]' + - fieldName: log.component + pattern: '\[{{.data}}\]' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + - trim: + function: prefix + substring: '[' + fields: + - deviceTime + - log.level + - log.component + - log.pipelineName + - trim: + function: suffix + substring: ']' + fields: + - deviceTime + - log.level + - log.component + - log.pipelineName + - reformat: + fields: + - deviceTime + function: time + fromFormat: '2024-07-31T17:02:07,154' + toFormat: '2024-09-23T15:57:40.338364445Z' + # Adding severity based on log.level + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.level", ["ERROR", "Error", "FATAL", "CRITICAL", "Critical"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: oneOf("log.level", ["WARN", "Warning"]) + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.level", ["Information", "Informational", "INFO", "DEBUG", "TRACE"]) + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.agent + - log.host + - log.event + - log.ecs + - log.log + - log.fileset$$ + WHERE id=1407; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209014_update_filter_meraki.xml b/backend/src/main/resources/config/liquibase/changelog/20260209014_update_filter_meraki.xml new file mode 100644 index 000000000..0fa92733e --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209014_update_filter_meraki.xml @@ -0,0 +1,1568 @@ + + + + + + + Syslog +# +# 1. Parsing the message field +pipeline: + - dataTypes: + - firewall-meraki + steps: + # Header fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.serverIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.serverIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + # Adding control log.controlFlag field (Used to know if the message don't contains the header INT.INT mx_type mx_group) + - add: + function: 'string' + params: + key: log.controlFlag + value: 'Init' + # Begin message parsing + # First extract the generic message, then parse it + - grok: + patterns: + - fieldName: log.controlFlag + pattern: '{{.data}}(\s)(events|flows|urls|ids-alerts|security_event)' + - fieldName: log.genericEvent + pattern: '{{.greedy}}' + source: log.msg + # Parsing variant INT.INT mx_type mx_group + # Parsing from controlFlag (Format: Date? IP PORT INT.INT mx_type mx_group) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.local.port + pattern: '{{.integer}}' + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiType + pattern: '{{.data}}\s' + - fieldName: log.merakiGroup + pattern: '{{.greedy}}' + source: log.controlFlag + where: '!equals("log.controlFlag", "Init")' + - grok: + patterns: + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiType + pattern: '{{.data}}\s' + - fieldName: log.merakiGroup + pattern: '{{.greedy}}' + source: log.controlFlag + where: '!equals("log.controlFlag", "Init")' + # ........................................ + # event vpn connectivity change + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'vpn_type(\s)?=' + - fieldName: log.vpnType + pattern: '''{{.data}}''' + - fieldName: log.irrelevant + pattern: 'peer_contact(\s)?=' + - fieldName: origin.ip + pattern: '''{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}''' + - fieldName: log.irrelevant + pattern: 'peer_ident(\s)?=' + - fieldName: log.peerIdent + pattern: '''{{.data}}''' + - fieldName: log.irrelevant + pattern: 'connectivity(\s)?=' + - fieldName: log.connectivity + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.connectivity", "true") + # ........................................ + # event uplink connectivity change + - rename: + from: + - log.genericEvent + to: action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "failover to")' + # ........................................ + # event uplink connectivity change + # Event: urls, HTTP GET requests in MR Access Points + - rename: + from: + - log.genericEvent + to: action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "Cellular connection")' + - grok: + patterns: + - fieldName: action + pattern: 'Cellular connection' + - fieldName: log.connectionState + pattern: '(up|Up|down|Down)' + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiTypeIn + pattern: '{{.data}}\s' + - fieldName: log.merakiGroupIn + pattern: '(events|flows|urls|ids-alerts|security_event)' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.data}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'request(\s)?\:' + - fieldName: log.method + pattern: '{{.word}}' + - fieldName: target.url + pattern: '{{.greedy}}' + source: action + where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")' + - grok: + patterns: + - fieldName: action + pattern: 'Cellular connection' + - fieldName: log.connectionState + pattern: '(up|Up|down|Down)' + source: action + where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equalsIgnoreCase("log.connectionState", "up") + # ........................................ + # Event: event, dhcp no offers + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}for\smac' + - fieldName: origin.mac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'host(\s)?=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")' + - trim: + function: suffix + substring: 'for mac' + fields: + - action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")' + # ........................................ + # Event: event, dhcp lease + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}of\sip' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'from server mac' + - fieldName: log.serverMac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'for client mac' + - fieldName: origin.mac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'from router' + - fieldName: log.routerIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'on subnet' + - fieldName: log.subnet + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'with dns' + - fieldName: log.dns + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.dns1 + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")' + - trim: + function: suffix + substring: 'of ip' + fields: + - action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: contains("log.genericEvent", "dhcp lease") + # ........................................ + # Event: event, HTTP GET requests in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.data}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'request(\s)?\:' + - fieldName: log.method + pattern: '{{.word}}' + - fieldName: target.url + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"' + # ........................................ + # Event: flows, IP session initiated in Meraki MX Security Appliance + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'sport(\s)?=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'pattern(\s)?\:' + - fieldName: log.pattern + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"' + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'sport(\s)?=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'pattern(\s)?\:' + - fieldName: log.pattern + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("0") || log.pattern.startsWith("allow") || log.pattern.startsWith("Allow"))' + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (log.pattern.startsWith("deny") || log.pattern.startsWith("Deny"))' + # ........................................ + # Event: ids-alerts, ids signature matched in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'signature(\s)?=' + - fieldName: log.signature + pattern: '{{.data}}priority' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.priority + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'timestamp(\s)?=' + - fieldName: log.msgEventTimeIn + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.irrelevant + pattern: 'direction(\s)?=' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"' + - trim: + function: suffix + substring: 'priority' + fields: + - log.signature + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"' + # ........................................ + # Event: event IPsec-SA request queued due to no phase 1 found, phase2 negotiation failed, initiate new phase 1 negotiation, + # ISAKMP-SA established, initiate new phase 2 negotiation, IPsec-SA established, ISAKMP-SA established, and ISAKMP-SA deleted + # in Meraki MX Security Appliance + # This type of message mx_type=labs_appliance mx_group=events + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)(deleted|established)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: 'spi(\s)?\:' + - fieldName: log.spi + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)request(\s)for' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Third variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)failed' + - fieldName: log.irrelevant + pattern: '{{.data}}ESP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Fourth variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)?\:' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '\<=\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Fifth variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)established\:(\s)?ESP/Tunnel' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: 'spi(\s)?=' + - fieldName: log.spi + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + - trim: + function: prefix + substring: '[' + fields: + - origin.port + - target.port + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: ']' + fields: + - origin.port + - target.port + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events" && (contains("log.genericEvent", "queued due to no phase 1") || contains("log.genericEvent", "queued due to no phase1") || || contains("log.genericEvent", "established"))' + # ........................................ + # Event: event spanning-tree guard state change in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Port' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'received an' + - fieldName: protocol + pattern: '{{.data}}BPDU' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.mac + pattern: '{{.data}}so' + - fieldName: log.irrelevant + pattern: 'the port was' + - fieldName: actionResult + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'BPDU' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'so' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events" && contains("log.genericEvent", "blocked")' + # ........................................ + # Event: event blocked DHCP server response in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Blocked' + - fieldName: protocol + pattern: '{{.data}}server' + - fieldName: log.irrelevant + pattern: 'response from' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'VLAN' + - fieldName: log.vlan + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'server' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + # ........................................ + # Event: event 802.1X (all events) in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}port' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.port + pattern: '{{.data}}identity' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.identity + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: suffix + substring: 'port' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: prefix + substring: '''' + fields: + - origin.port + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: suffix + substring: '''' + fields: + - origin.port + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + # ........................................ + # Event: event 802.11 disassociation in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}reason' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.reason + pattern: '{{.data}}instigator' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.instigator + pattern: '{{.data}}duration' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.duration + pattern: '{{.data}}auth_neg_dur' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.authNegDur + pattern: '{{.data}}last_auth_ago' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.lastAuthAgo + pattern: '{{.data}}is_wpa' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.isWpa + pattern: '{{.data}}full_conn' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fullConn + pattern: '{{.data}}ip_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.ipResp + pattern: '{{.data}}ip_src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.data}}arp_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.arpResp + pattern: '{{.data}}arp_src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.arpSrc + pattern: '{{.data}}dns_server' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsServer + pattern: '{{.data}}dns_req_rtt' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsReqRtt + pattern: '{{.data}}dns_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsResp + pattern: '{{.data}}aid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.aid + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'radio' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'channel' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'reason' + fields: + - log.channel + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'instigator' + fields: + - log.reason + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'duration' + fields: + - log.instigator + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'auth_neg_dur' + fields: + - log.duration + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'last_auth_ago' + fields: + - log.authNegDur + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'is_wpa' + fields: + - log.lastAuthAgo + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'full_conn' + fields: + - log.isWpa + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'ip_resp' + fields: + - log.fullConn + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'ip_src' + fields: + - log.ipResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'arp_resp' + fields: + - origin.ip + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'arp_src' + fields: + - log.arpResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_server' + fields: + - log.arpSrc + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_req_rtt' + fields: + - log.dnsServer + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_resp' + fields: + - log.dnsReqRtt + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'aid' + fields: + - log.dnsResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: prefix + substring: '''' + fields: + - log.radio + - log.vap + - log.channel + - log.reason + - log.instigator + - log.duration + - log.authNegDur + - log.lastAuthAgo + - log.isWpa + - log.fullConn + - log.ipResp + - origin.ip + - log.arpResp + - log.arpSrc + - log.dnsServer + - log.dnsReqRtt + - log.dnsResp + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: '''' + fields: + - log.radio + - log.vap + - log.channel + - log.reason + - log.instigator + - log.duration + - log.authNegDur + - log.lastAuthAgo + - log.isWpa + - log.fullConn + - log.ipResp + - origin.ip + - log.arpResp + - log.arpSrc + - log.dnsServer + - log.dnsReqRtt + - log.dnsResp + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + # ........................................ + # Event: event 802.1X (all events) in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}identity' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.identity + pattern: '{{.data}}aid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.aid + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'radio' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'identity' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'aid' + fields: + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: prefix + substring: '''' + fields: + - log.radio + - log.vap + - log.identity + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: '''' + fields: + - log.radio + - log.vap + - log.identity + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + # ........................................ + # Event: event splash authentication in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}ip' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.data}}duration' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.duration + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}download' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.download + pattern: '{{.data}}upload' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.upload + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'ip' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'duration' + fields: + - origin.ip + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.duration + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'download' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'upload' + fields: + - log.download + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - log.vap + - log.duration + - log.download + - log.upload + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: '''' + fields: + - origin.ip + - log.vap + - log.duration + - log.download + - log.upload + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + # ........................................ + # Event: event wireless packet flood detected in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}(\s)packet' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.packet + pattern: '{{.data}}device' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}state' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.state + pattern: '{{.data}}alarm_id' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.alarmId + pattern: '{{.data}}dos_count' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dosCount + pattern: '{{.data}}inter_arrival' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.interArrival + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'packet' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'device' + fields: + - log.packet + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'radio' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'state' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'alarm_id' + fields: + - log.state + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'dos_count' + fields: + - log.alarmId + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'inter_arrival' + fields: + - log.dosCount + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - origin.mac + - log.radio + - log.packet + - log.dosCount + - log.alarmId + - log.state + - log.interArrival + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: '''' + fields: + - origin.ip + - origin.mac + - log.radio + - log.packet + - log.dosCount + - log.alarmId + - log.state + - log.interArrival + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + # ........................................ + # Event: flows, flow allowed by Layer 3 firewall in Meraki MR Access Points + - grok: + patterns: + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}protocol' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: protocol + pattern: '{{.data}}sport' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + - trim: + function: suffix + substring: 'sport' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + - trim: + function: suffix + substring: 'protocol' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "allow") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "deny") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # ........................................ + # Event: event rogue SSID detected and SSID spoofing detected in Meraki MR Access Points + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'airmarshal_events(\s)type(\s)?=' + - fieldName: action + pattern: '{{.data}}ssid(\s)?=' + - fieldName: log.ssid + pattern: '{{.data}}bssid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.bssid + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}dst' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: target.mac + pattern: '{{.data}}wired_mac' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.wiredMac + pattern: '{{.data}}vlan_id' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vlanId + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}rssi' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.rssi + pattern: '{{.data}}fc_type' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcType + pattern: '{{.data}}fc_subtype' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcSubType + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'airmarshal_events(\s)type(\s)?=' + - fieldName: action + pattern: '{{.data}}ssid(\s)?=' + - fieldName: log.ssid + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}bssid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.bssid + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}dst' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: target.mac + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}rssi' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.rssi + pattern: '{{.data}}fc_type' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcType + pattern: '{{.data}}fc_subtype' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcSubType + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: '=' + fields: + - action + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'ssid' + fields: + - action + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'bssid' + fields: + - log.ssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'vap' + fields: + - log.ssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'bssid' + fields: + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'src' + fields: + - log.bssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'dst' + fields: + - origin.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'wired_mac' + fields: + - target.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'channel' + fields: + - target.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'vlan_id' + fields: + - log.wiredMac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'channel' + fields: + - log.vlanId + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'rssi' + fields: + - log.channel + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'fc_type' + fields: + - log.rssi + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'fc_subtype' + fields: + - log.fcType + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: prefix + substring: '''' + fields: + - action + - log.ssid + - log.bssid + - origin.mac + - target.mac + - log.wiredMac + - log.vlanId + - log.channel + - log.rssi + - log.fcType + - log.fcSubType + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: '''' + fields: + - action + - log.ssid + - log.bssid + - origin.mac + - target.mac + - log.wiredMac + - log.vlanId + - log.channel + - log.rssi + - log.fcType + - log.fcSubType + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # ........................................ + # Event: security_event ids_alerted, ids signature matched in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'signature(\s)?=' + - fieldName: log.signature + pattern: '{{.data}}priority' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.priority + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'timestamp(\s)?=' + - fieldName: log.msgEventTime + pattern: '{{.data}}dhost' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}direction' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.direction + pattern: '{{.data}}protocol' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: protocol + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'priority' + fields: + - log.signature + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'dhost' + fields: + - log.msgEventTime + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'direction' + fields: + - origin.mac + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'protocol' + fields: + - log.direction + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'src' + fields: + - protocol + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + # ............................................................................ + # Cleaning common fields + - trim: + function: suffix + substring: ':' + fields: + - log.localIp + - origin.ip + - target.ip + - log.serverIp + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - log.peerIdent + - log.connectivity + - log.vpnType + - trim: + function: suffix + substring: '''' + fields: + - origin.port + - log.peerIdent + - log.connectivity + - log.vpnType + #......................................................................# + # Adding geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.serverIp + destination: log.serverIp.geolocation + where: exists("log.serverIp") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.ipResp + destination: log.ipResp.geolocation + where: exists("log.ipResp") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + #......................................................................# + # Removing unused fields + - delete: + fields: + - log.controlFlag + - log.irrelevant + - log.genericEvent$$ + WHERE id=302; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209015_update_filter_mysql.xml b/backend/src/main/resources/config/liquibase/changelog/20260209015_update_filter_mysql.xml new file mode 100644 index 000000000..5b17c62b7 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209015_update_filter_mysql.xml @@ -0,0 +1,150 @@ + + + + + + + fileset: datatype +# error: plain text +# 1. Parsing the json from beats +# 2. Parsing the message field containing the mysql log +pipeline: + - dataTypes: + - mysql + steps: + - json: + source: raw + - rename: + from: + - log.url + to: origin.url + - rename: + from: + - log.log.file.path + to: origin.file + - rename: + from: + - log.host.ip + to: log.local.ips + - rename: + from: + - log.host.mac + to: log.local.macs + - rename: + from: + - log.host.hostname + to: origin.host + - rename: + from: + - log.event.dataset + to: action + - rename: + from: + - log.agent.version + to: log.agentVersion + - rename: + from: + - log.host.os.kernel + to: log.osVersion + - rename: + from: + - log.host.os.type + to: log.osType + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + - cast: + to: '[]string' + fields: + - log.local.ips + - cast: + to: '[]string' + fields: + - log.local.macs + # Parsing common log parts + - grok: + patterns: + - fieldName: deviceTime + pattern: '{{.data}}\s' + - fieldName: log.thread + pattern: '{{.integer}}' + - fieldName: log.level + pattern: '\[{{.data}}\]' + - fieldName: log.errorCode + pattern: '\[{{.data}}\]' + - fieldName: log.subsystem + pattern: '\[{{.data}}\]' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + - trim: + function: prefix + substring: '[' + fields: + - log.level + - log.errorCode + - log.subsystem + - trim: + function: suffix + substring: ']' + fields: + - log.level + - log.errorCode + - log.subsystem + - reformat: + fields: + - deviceTime + function: time + fromFormat: '2020-08-06T14:25:03.109022Z' + toFormat: '2024-09-23T15:57:40.338364445Z' + # Adding severity based on log.level + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.level", ["Internal", "internal", "INTERNAL", "Error", "error", "ERROR"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: exists("log.level") && oneOf("log.level", ["Warning", "warning", "WARNING"]) + - add: + function: 'string' + params: + key: severity + value: 'low' + where: exists("log.level") && !oneOf("log.level", ["Internal", "internal", "INTERNAL", "Error", "error", "ERROR", "Warning", "warning", "WARNING"]) + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.agent + - log.host + - log.event + - log.ecs + - log.log + - log.fileset$$ + WHERE id=1405; + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209016_update_filter_nginx.xml b/backend/src/main/resources/config/liquibase/changelog/20260209016_update_filter_nginx.xml new file mode 100644 index 000000000..924d50d0a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209016_update_filter_nginx.xml @@ -0,0 +1,417 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209017_update_filter_redis.xml b/backend/src/main/resources/config/liquibase/changelog/20260209017_update_filter_redis.xml new file mode 100644 index 000000000..978a31903 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209017_update_filter_redis.xml @@ -0,0 +1,260 @@ + + + + + + + fileset: datatype +# log: plain text +# +# Documentations +# 1- https://www.elastic.co/guide/en/beats/filebeat/7.13/filebeat-module-redis.html +# 2- https://www.elastic.co/guide/en/beats/filebeat/7.13/exported-fields-redis.html +# 3- https://redis.io/docs/latest/operate/rs/clusters/logging/redis-slow-log/ +# 4- https://build47.com/redis-log-format-levels/ +# +# Implementation +# 1. Parsing the json from beats +# 2. Parsing the message field containing the redis log +pipeline: + - dataTypes: + - redis + steps: + - json: + source: raw + + # Parse message field in plain text format + - grok: + patterns: + - fieldName: log.pid + pattern: '{{.data}}\:' + - fieldName: log.roleEnc + pattern: '{{.word}}' + - fieldName: log.deviceTime + pattern: '{{.monthDay}}{{.space}}{{.monthName}}{{.space}}{{.year}}{{.space}}{{.time}}' + - fieldName: log.levelEnc + pattern: '(\.)|(-)|(\*)|(#)' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + + # Removing unwanted prefixes + - trim: + function: suffix + substring: ':' + fields: + - log.pid + + # Fields variants from module + # Example: [4018] 14 Nov 07:01:22.119 + - grok: + patterns: + - fieldName: log.pid + pattern: '\[{{.data}}\]' + - fieldName: log.deviceTime + pattern: '{{.monthDay}}{{.space}}{{.monthName}}{{.space}}{{.time}}' + - fieldName: log.levelEnc + pattern: '(\.)|(-)|(\*)|(#)' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.message + + # Removing unwanted prefixes + - trim: + function: prefix + substring: '[' + fields: + - log.pid + - trim: + function: suffix + substring: ']' + fields: + - log.pid + + # ................................................................................# + # Implementing the Record-RoleEnc Field Based on Redis Documentation + # https://build47.com/redis-log-format-levels/ + # + # The possible values for roleEnc are as follows: + # (X) sentinel + # (M) master + # (S) slave + # (C) RDB/AOF writing child + # ................................................................................# + - add: + function: 'string' + params: + key: log.role + value: 'sentinel' + where: log.roleEnc=="X" || log.roleEnc=="x" + + - add: + function: 'string' + params: + key: log.role + value: 'master' + where: log.roleEnc=="M" || log.roleEnc=="m" + + - add: + function: 'string' + params: + key: log.role + value: 'slave' + where: log.roleEnc=="S" || log.roleEnc=="s" + + - add: + function: 'string' + params: + key: log.role + value: 'rdb/aof' + where: log.roleEnc=="C" || log.roleEnc=="c" + + # ................................................................................# + # Implementing the Record-severity Field Based on Redis Documentation + # https://build47.com/redis-log-format-levels/ + # + # The log severity is a single character, which is one of the following: + # debug (.) + # verbose (-) + # notice (*) + # warning (#) + # ................................................................................# + - add: + function: 'string' + params: + key: log.severity + value: 'debug' + where: log.levelEnc=="." + + - add: + function: 'string' + params: + key: log.severity + value: 'verbose' + where: log.levelEnc=="-" + + - add: + function: 'string' + params: + key: log.severity + value: 'notice' + where: log.levelEnc=="*" + + - add: + function: 'string' + params: + key: log.severity + value: 'warning' + where: log.levelEnc=="#" + + # Adding severity field based on log.severity + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["debug", "verbose"]) + + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: oneOf("log.severity", ["notice", "warning"]) + + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["error"]) + + # Parse beats field + - rename: + from: + - log.url + to: origin.url + + - rename: + from: + - log.log.file.path + to: origin.file + + - rename: + from: + - log.host.ip + to: log.origin.ips + + - rename: + from: + - log.host.mac + to: log.origin.macs + + - rename: + from: + - log.host.hostname + to: origin.host + + - rename: + from: + - log.event.dataset + to: action + + - rename: + from: + - log.agent.version + to: log.agentVersion + + - rename: + from: + - log.host.os.kernel + to: log.osVersion + + - rename: + from: + - log.host.os.type + to: log.osType + + - rename: + from: + - log.host.architecture + to: log.cpuArchitecture + + # Fields conversions + - cast: + to: '[]string' + fields: + - log.origin.ips + - cast: + to: '[]string' + fields: + - log.origin.macs + + # Removing unused fields + - delete: + fields: + - log.service + - log.metadata + - log.log.offset + - log.agent + - log.host + - log.event + - log.ecs + - log.log.file + - log.roleEnc + - log.levelEnc + - log.log$$ + WHERE id=1401; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209018_update_filter_sophos_xg.xml b/backend/src/main/resources/config/liquibase/changelog/20260209018_update_filter_sophos_xg.xml new file mode 100644 index 000000000..c92284590 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209018_update_filter_sophos_xg.xml @@ -0,0 +1,760 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.0trash + pattern: '{{.data}}\=' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}' + - fieldName: log.notDefined + pattern: '{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.integer}}\>' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restData + + # Extracting common fields for all logs + - grok: + patterns: + - fieldName: log.1trash + pattern: '{{.data}}log_type=' + - fieldName: log.type + pattern: '\"{{.data}}\"' + - fieldName: log.2trash + pattern: '{{.data}}log_component=' + - fieldName: log.component + pattern: '\"{{.data}}\"' + - fieldName: log.3trash + pattern: '{{.data}}log_subtype=' + - fieldName: log.subType + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + # Parsing the raw field for log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" + - grok: + patterns: + - fieldName: log.4trash + pattern: '{{.data}}user_agent=' + - fieldName: log.userAgent + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.5trash + pattern: '{{.data}}download_file_name=' + - fieldName: log.downloadfilename + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.6trash + pattern: '{{.data}}upload_file_name=' + - fieldName: log.uploadfilename + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + # Parsing the raw field for log_type="Content Filtering" log_component="Application" log_subtype="Denied" + - grok: + patterns: + - fieldName: log.4trash + pattern: '{{.data}}category=' + - fieldName: log.category + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.5trash + pattern: '{{.data}}application_name=' + - fieldName: log.applicationName + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.6trash + pattern: '{{.data}}application_technology=' + - fieldName: log.applicationTech + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.7trash + pattern: '{{.data}}application_category=' + - fieldName: log.applicationCategory + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.8trash + pattern: '{{.data}}message=' + - fieldName: log.logMessage + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + # Parsing the raw field for log_type="Firewall" log_component="Firewall Rule|Invalid Traffic" log_subtype="Allowed|Denied" + - grok: + patterns: + - fieldName: log.4trash + pattern: '{{.data}}ether_type=' + - fieldName: log.etherType + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + # Parsing the raw field for log_type="Event" log_component="DDNS|DHCP Server|Firewall Authentication" log_subtype="System|Authentication" + - grok: + patterns: + - fieldName: log.4trash + pattern: '{{.data}}raw_data=' + - fieldName: log.rawData + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.5trash + pattern: '{{.data}}raw_data=' + - fieldName: log.rawData + pattern: '\"{{.data}}\"' + source: log.restData + + - grok: + patterns: + - fieldName: log.6trash + pattern: '{{.data}}usergroupname=' + - fieldName: log.userGroupName + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.7trash + pattern: '{{.data}}auth_client=' + - fieldName: log.authClient + pattern: '\"{{.data}}\"' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.8trash + pattern: '{{.data}}message=' + - fieldName: log.logMessage + pattern: '\"{{.data}}\"' + source: log.restData + + # Renaming useful fields + - rename: + from: + - log.appiscloud + to: log.appIsCloud + + - rename: + from: + - log.category + to: log.categoryApp + + - rename: + from: + - log.categorytype + to: log.categoryType + + - rename: + from: + - log.uploadfilename + to: log.uploadFileName + + - rename: + from: + - log.downloadfiletype + to: log.downloadFileType + + - rename: + from: + - log.downloadfilename + to: log.downloadFileName + + - rename: + from: + - log.uploadfiletype + to: log.uploadFileType + + - rename: + from: + - log.contenttype + to: log.contentType + + - rename: + from: + - log.conid + to: log.connectionId + + - rename: + from: + - log.deviceid + to: log.deviceId + + - rename: + from: + - log.domain + to: target.domain + + - rename: + from: + - log.dstip + to: target.ip + + - rename: + from: + - log.dstport + to: target.port + + - rename: + from: + - log.exceptions + to: log.webExceptions + + - rename: + from: + - log.fwruleid + to: log.firewallRuleId + + - rename: + from: + - log.iap + to: log.webPolicy + + - rename: + from: + - log.logid + to: log.Id + + - rename: + from: + - log.bridgedisplayname + to: log.bridgeDisplayName + + - rename: + from: + - log.bridgename + to: log.bridgeName + + - rename: + from: + - log.recvbytes + to: origin.bytesReceived + + - rename: + from: + - log.sentbytes + to: origin.bytesSent + + - rename: + from: + - log.srcip + to: origin.ip + + - rename: + from: + - log.srcport + to: origin.port + + - rename: + from: + - log.statuscode + to: log.statusCode + + - rename: + from: + - log.protocol + to: protocol + + - rename: + from: + - log.usedquota + to: log.responseTime + + - rename: + from: + - log.usergp + to: log.userGroup + + - rename: + from: + - log.username + to: origin.user + + - rename: + from: + - log.srccountrycode + to: log.srcCountryCode + + - rename: + from: + - log.dstcountrycode + to: log.dstCountryCode + + - rename: + from: + - log.appresolvedby + to: log.appResolvedBy + + - rename: + from: + - log.applicationrisk + to: log.applicationRisk + + - rename: + from: + - log.applicationfilterpolicy + to: log.applicationFilterPolicy + + - rename: + from: + - log.device + to: log.deviceType + + - rename: + from: + - log.devicename + to: log.deviceName + + - rename: + from: + - log.domainname + to: log.domainName + + - rename: + from: + - log.timezone + to: log.timeZone + + - rename: + from: + - log.filename + to: target.file + + - rename: + from: + - log.filepath + to: target.path + + - rename: + from: + - log.indisplayinterface + to: log.inDisplayInterface + + - rename: + from: + - log.ininterface + to: log.inInterface + + - rename: + from: + - log.outdisplayinterface + to: log.outDisplayInterface + + - rename: + from: + - log.outinterface + to: log.outInterface + + - rename: + from: + - log.vlanid + to: log.vLanId + + - rename: + from: + - log.ftpcommand + to: command + + - rename: + from: + - log.FTPurl + to: target.url + + - rename: + from: + - log.FTPdirection + to: log.ftpDirection + + - rename: + from: + - log.ipspolicyid + to: log.ipsPolicyId + + - rename: + from: + - log.appfilterpolicyid + to: log.appFilterPolicyId + + - rename: + from: + - log.natruleid + to: log.natRuleId + + - rename: + from: + - log.srcmac + to: origin.mac + + - rename: + from: + - log.policytype + to: log.policyType + + - rename: + from: + - log.updatedip + to: log.updatedIp + + - rename: + from: + - log.clienthostname + to: log.clientHostName + + - rename: + from: + - log.ipaddress + to: origin.ip + + - rename: + from: + - log.clientphysicaladdress + to: log.clientPhysicalAddress + + - rename: + from: + - log.timestamp + to: log.timesTamp + + - rename: + from: + - log.starttime + to: log.startTime + + - rename: + from: + - log.authmechanism + to: log.authMechanism + + - rename: + from: + - log.eventtype + to: log.eventType + + - rename: + from: + - log.executionpath + to: log.executionPath + + - rename: + from: + - log.loginuser + to: log.loginUser + + - rename: + from: + - log.processuser + to: log.processUser + + - rename: + from: + - log.dstmac + to: target.mac + + - rename: + from: + - log.dstdomain + to: target.domain + + # Removing unnecessary characters + - trim: + function: prefix + substring: '"' + fields: + - log.categoryApp + - log.categoryType + - log.component + - log.subType + - log.type + - log.logMessage + - log.contentType + - log.deviceName + - log.domainName + - target.domain + - log.inDisplayInterface + - log.inInterface + - log.outDisplayInterface + - log.outInterface + - log.vLanId + - log.deviceType + - command + - log.clientHostName + - log.ipAddress + - log.clientPhysicalAddress + - log.authMechanism + - log.eventType + - log.executionPath + - log.loginUser + - log.processUser + - log.rawData + - log.userGroupName + - log.authClient + - target.file + - target.path + - log.ftpDirection + - target.url + - log.downloadFileName + - log.downloadFileType + - log.uploadFileName + - log.uploadFileType + - protocol + - log.reason + - log.referer + - log.status + - log.statusCode + - log.url + - log.virus + - log.userAgent + - log.userGroup + - origin.user + - log.bridgeName + - log.bridgeDisplayName + - log.timeZone + - log.applicationCategory + - log.applicationName + - log.applicationTech + - log.appResolvedBy + + - trim: + function: suffix + substring: '"' + fields: + - log.categoryApp + - log.categoryType + - log.component + - log.subType + - log.type + - log.logMessage + - log.contentType + - log.deviceName + - log.domainName + - target.domain + - log.inDisplayInterface + - log.inInterface + - log.outDisplayInterface + - log.outInterface + - log.vLanId + - log.deviceType + - command + - log.clientHostName + - log.ipAddress + - log.clientPhysicalAddress + - log.authMechanism + - log.eventType + - log.executionPath + - log.loginUser + - log.processUser + - log.rawData + - log.userGroupName + - log.authClient + - target.file + - target.path + - log.ftpDirection + - target.url + - log.downloadFileName + - log.downloadFileType + - log.uploadFileName + - log.uploadFileType + - protocol + - log.reason + - log.referer + - log.status + - log.statusCode + - log.url + - log.virus + - log.userAgent + - log.userGroup + - origin.user + - log.bridgeName + - log.bridgeDisplayName + - log.timeZone + - log.applicationCategory + - log.applicationName + - log.applicationTech + - log.appResolvedBy + + - trim: + function: prefix + substring: '<' + fields: + - log.syslogPriority + + - trim: + function: suffix + substring: '>' + fields: + - log.syslogPriority + + # Adding geolocation to target ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # Adding geolocation to origin ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Field conversions + - cast: + fields: + - target.port + to: int + + - cast: + fields: + - log.statusCode + - origin.bytesReceived + - origin.bytesSent + to: float + + # Renaming "log.statusCode" to "statusCode" to add it to the event structure + - rename: + from: + - log.statusCode + to: statusCode + + # Adding actionResult + # denied by default + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0)) + + # Removing unused fields + - delete: + fields: + - log.0trash + - log.1trash + - log.2trash + - log.3trash + - log.4trash + - log.5trash + - log.6trash + - log.7trash + - log.8trash + - log.irrelevant + - log.rawdata + - log.message + - log.restData + - log.useragent + - log.activityname + - log.httpresponsecode + - log.overrideauthorizer + - log.overridename + - log.overridetoken + - log.transactionid + - log.applicationcategory + - log.applicationname + - log.applicationtechnology + - log.avpolicyname + - log.ethertype + - log.bridgedisplayname + - log.bridgename + - log.usergroupname + - log.authclient + - log.logcomponent + - log.logsubtype + - log.name + - log.logtype$$ + WHERE id=801; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209019_update_filter_suricata.xml b/backend/src/main/resources/config/liquibase/changelog/20260209019_update_filter_suricata.xml new file mode 100644 index 000000000..06344fd41 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209019_update_filter_suricata.xml @@ -0,0 +1,196 @@ + + + + + + + ' + - fieldName: log.syslogTimestamp + pattern: '{{.monthName}}(\s+){{.monthDay}}(\s+){{.time}}' + - fieldName: log.syslogHost + pattern: '{{.hostname}}' + - fieldName: log.syslogProgram + pattern: '{{.word}}' + - fieldName: log.syslogPid + pattern: '\[{{.integer}}\]: ' + - fieldName: log.suricataJson + pattern: '{{.greedy}}' + + # Parse Suricata JSON logs + - json: + source: log.suricataJson + where: regexMatch("log.suricataJson", "^\\{.*\\}$") + + # Rename fields to conversion v11 schema + - rename: + from: + - log.destip + to: target.ip + + - rename: + from: + - log.destport + to: target.port + + - rename: + from: + - log.flowid + to: log.flowId + + - rename: + from: + - log.host + to: target.host + + - rename: + from: + - log.iniface + to: log.inFace + + - rename: + from: + - log.srcip + to: origin.ip + + - rename: + from: + - log.srcport + to: origin.port + + - rename: + from: + - log.txid + to: log.txId + + - rename: + from: + - log.eventtype + to: log.eventType + + - rename: + from: + - log.appproto + to: log.appProto + + - rename: + from: + - log.proto + to: protocol + + + # Adding severity field based on log.alert.severity + - add: + function: "string" + params: + key: severity + value: "low" + where: equals("log.alert.severity", 1) + + - add: + function: "string" + params: + key: severity + value: "medium" + where: equals("log.alert.severity", 2) + + - add: + function: "string" + params: + key: severity + value: "high" + where: equals("log.alert.severity", 3) + + #....................................................................... + # Add new eventtypes to logx structure, detected in real logs, present in suricata 7.0.0 + - rename: + from: + - log.ftpdata + to: log.ftpData + + - rename: + from: + - log.fileinfo + to: log.fileInfo + + # Implementing action field used for established connections + - add: + function: "string" + params: + key: action + value: "success" + where: (equals("log.eventType", "tls") && exists("log.tls.sessionresumed")) || + (equals("log.eventType", "dns") && equals("log.dns.type", "answer")) || + (equals("log.eventType", "flow") && exists("origin.ip") && exists("target.ip") && greaterThan("log.flow.bytestoserver", 0) && greaterThan("log.flow.bytestoclient", 0)) || + (equals("log.eventType", "ssh") && exists("log.ssh.server") && exists("log.ssh.client")) || + (equals("log.eventType", "alert") && exists("origin.ip") && exists("target.ip") && equals("log.alert.action", "allowed") && greaterThan("log.flow.bytestoserver", 0) && greaterThan("log.flow.bytestoclient", 0)) || + (equals("log.eventType", "http") && exists("origin.ip") && exists("target.ip") && exists("log.http.status")) || + (equals("log.eventType", "ftp") && exists("origin.ip") && exists("target.ip") && exists("log.ftp.completioncode")) || + (equals("log.eventType", "tftp") && exists("origin.ip") && exists("target.ip") && !equals("log.tftp.packet", "error")) || + (equals("log.eventType", "smb") && exists("origin.ip") && exists("target.ip") && oneOf("log.smb.command", ["NEGOTIATE"]) && oneOf("log.smb.status", ["SUCCESS", "GRANTED", "CONNECTED"])) || + (equals("log.eventType", "rdp") && exists("origin.ip") && exists("target.ip") && (equals("log.rdp.eventType", "connectresponse") || equals("log.rdp.eventType", "tlshandshake"))) || + (equals("log.eventType", "rfb") && exists("origin.ip") && exists("target.ip") && equals("log.rfb.authentication.security-result", "OK")) || + (equals("log.eventType", "mqtt") && exists("origin.ip") && exists("target.ip") && (equals("log.mqtt.connack.returncode", "0") || equals("log.mqtt.connack.returncode", "0x00"))) || + (equals("log.eventType", "pgsql") && exists("origin.ip") && exists("target.ip") && (exists("log.pgsql.request.simplequery") || exists("log.pgsql.response.commandcompleted") || equals("log.pgsql.response.sslaccepted", "true") || equals("log.pgsql.response.accepted", "true") || exists("log.pgsql.response.authenticationmd5password"))) || + ((equals("log.eventType", "ike") || equals("log.eventType", "ikev1") || equals("log.eventType", "ikev2")) && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "modbus") && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "sip") && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "quic") && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "fileinfo") && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "snmp") && exists("origin.ip") && exists("target.ip")) || + (equals("log.eventType", "dhcp") && exists("origin.ip") && exists("target.ip") && !equals("log.dhcp.assignedip", "0")) + + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # Removing unused fields + - delete: + fields: + - log.suricataJson + - log.syslogPri + - log.syslogTimestamp + - log.syslogProgram + - log.syslogPid$$ + WHERE id=1530; + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209020_update_filter_wineventlog.xml b/backend/src/main/resources/config/liquibase/changelog/20260209020_update_filter_wineventlog.xml new file mode 100644 index 000000000..6d66f8724 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209020_update_filter_wineventlog.xml @@ -0,0 +1,2995 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209021_update_filter_crowdstrike.xml b/backend/src/main/resources/config/liquibase/changelog/20260209021_update_filter_crowdstrike.xml new file mode 100644 index 000000000..edccb87b8 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209021_update_filter_crowdstrike.xml @@ -0,0 +1,330 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209022_update_correlation_rules.xml b/backend/src/main/resources/config/liquibase/changelog/20260209022_update_correlation_rules.xml new file mode 100644 index 000000000..fa53ecbf1 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209022_update_correlation_rules.xml @@ -0,0 +1,22 @@ + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209023_update_system_owner_correlation_rules.xml b/backend/src/main/resources/config/liquibase/changelog/20260209023_update_system_owner_correlation_rules.xml new file mode 100644 index 000000000..40503050a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209023_update_system_owner_correlation_rules.xml @@ -0,0 +1,13 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml b/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml new file mode 100644 index 000000000..3d8751840 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml @@ -0,0 +1,39 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml b/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml new file mode 100644 index 000000000..809279343 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210001_update_filter_cisco_asa.xml @@ -0,0 +1,5939 @@ + + + + + + + Syslog +# +# 1. Parsing the message field containing the Cisco ASA log +pipeline: + - dataTypes: + - firewall-cisco-asa + steps: + # Common ASA fields + - grok: + patterns: + - fieldName: log.syslogPri + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.asaHeader + pattern: '{{.data}}ASA-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '({{.day}}\s)?{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.asaHeader + pattern: '{{.data}}ASA-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + #......................................................................# + # Adding log.localIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + # Removing unwanted prefixes + - trim: + function: prefix + substring: '-' + fields: + - log.messageId + # Field conversions + - cast: + fields: + - log.messageId + to: int + # Begining specific message parsing + #......................................................................# + # ASA-2-106001 + - grok: + patterns: + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'flags' + - fieldName: log.flags + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106001 + + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: log.messageId==106001 + + #......................................................................# + #ASA-2-106017 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'IP\sdue\sto' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + source: log.msg + where: log.messageId==106017 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==106017 + #......................................................................# + # ASA-1-106021 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106021 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==106021 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106021 + #......................................................................# + # ASA-2-106101 + - grok: + patterns: + - fieldName: action + pattern: 'Number of cached deny-flows for ACL log has reached limit' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106101 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Number of cached' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==106101 + # Parsing the limit number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.numFlows + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==106101 + # Field conversions + - cast: + fields: + - log.numFlows + to: int + where: log.messageId==106101 + + #......................................................................# + # ASA-6-106102,106103 + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106102 || log.messageId==106103 + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: '/' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: prefix + substring: '(' + fields: + - origin.port + - target.port + where: log.messageId==106102 || log.messageId==106103 + - trim: + function: suffix + substring: ')' + fields: + - origin.port + - target.port + where: log.messageId==106102 || log.messageId==106103 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted") + #......................................................................# + # ASA-4-109017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'User at' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'exceeded auth proxy connection limit' + - fieldName: log.limit + pattern: '\({{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109017 + + - trim: + function: prefix + substring: '(' + fields: + - log.limit + where: log.messageId==109017 + - cast: + fields: + - log.limit + to: int + where: log.messageId==109017 + #......................................................................# + # ASA-6-109101 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA disconnect request' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with\saudit-session-id:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109101 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==109101 + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: log.messageId==109101 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109101 + #......................................................................# + # ASA-4-109102 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ', but cannot find named session' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109102 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==109102 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109102 + #......................................................................# + # ASA-3-109103 + - grok: + patterns: + - fieldName: action + pattern: 'CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'failed for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with session ID:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==109103 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==109103 + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: log.messageId==109103 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==109103 + #......................................................................# + # ASA-109201 to 109213 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'UAUTH(:)? Session(\s|=)' + - fieldName: log.session + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'User(\s|=)' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Assigned IP(\s|=)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId>=109201 && log.messageId<=109213 + - trim: + function: suffix + substring: ',' + fields: + - log.session + - origin.user + where: log.messageId>=109201 && log.messageId<=109213 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId>=109201 && log.messageId<=109213 + #......................................................................# + # ASA-6-113004 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user {{.word}} Successful' + - fieldName: log.irrelevant + pattern: '\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113004 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user {{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113004 + - trim: + function: suffix + substring: ':' + fields: + - target.ip + where: log.messageId==113004 + - trim: + function: suffix + substring: ',' + fields: + - target.ip + where: log.messageId==113004 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113004 + #......................................................................# + # ASA-6-113005 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)' + - fieldName: log.reason + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(server|Server)(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113005 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113005 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: log.messageId==113005 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113005 + #......................................................................# + # ASA-6-113008 + - grok: + patterns: + - fieldName: action + pattern: 'AAA transaction status ACCEPT(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113008 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113008 + #......................................................................# + # ASA-6-113009 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113009 + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: log.messageId==113009 + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: log.messageId==113009 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113009 + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: log.messageId==113009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113009 + #......................................................................# + # ASA-6-113010 + - grok: + patterns: + - fieldName: action + pattern: 'AAA challenge received for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}) from server' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113010 + - trim: + function: suffix + substring: 'from server' + fields: + - origin.user + where: log.messageId==113010 + #......................................................................# + # ASA-6-113011 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113011 + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: log.messageId==113011 + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: log.messageId==113011 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113011 + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: log.messageId==113011 + #......................................................................# + # ASA-6-113012 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Successful(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113012 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113012 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113012 + #......................................................................# + # ASA-6-113013 + - grok: + patterns: + - fieldName: action + pattern: 'AAA unable to complete the request' + - fieldName: log.irrelevant + pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}\:' + - fieldName: log.irrelevant + pattern: 'user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113013 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + where: log.messageId==113013 + #......................................................................# + # ASA-6-113014 + - grok: + patterns: + - fieldName: action + pattern: 'AAA authentication server not accessible(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113014 + #......................................................................# + # ASA-6-113015, 113017 + - grok: + patterns: + - fieldName: action + pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113015 || log.messageId==113017 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - origin.user + where: log.messageId==113015 || log.messageId==113017 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(AAA user authentication|AAA credentials)\s' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113015 || log.messageId==113017 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113015 || log.messageId==113017 + #......................................................................# + # ASA-6-113016 + - grok: + patterns: + - fieldName: action + pattern: 'AAA credentials rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113016 + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: log.messageId==113016 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA credentials' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: log.messageId==113016 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113016 + #......................................................................# + # ASA-4-113019 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=(\s)?' + - fieldName: origin.group + pattern: '{{.data}}(\s)?,' + - fieldName: log.irrelevant + pattern: '(U|u)sername(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?,' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: action + pattern: '(\s)?Session disconnected\.' + - fieldName: log.irrelevant + pattern: '(\s)?Session Type:(\s)?' + - fieldName: log.sessionType + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Duration:(\s)?' + - fieldName: log.duration + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes xmt:(\s)?' + - fieldName: origin.bytesSent + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes rcv:(\s)?' + - fieldName: origin.bytesReceived + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Reason:(\s)?' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113019 + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + - log.sessionType + - log.duration + - origin.bytesSent + - origin.bytesReceived + where: log.messageId==113019 + - cast: + fields: + - origin.bytesSent + - origin.bytesReceived + to: int + where: log.messageId==113019 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113019 + #......................................................................# + # ASA-113031,113032,113033 + # Common fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?IP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + # Specific fields + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.filter + pattern: '{{.data}}\sis' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'is' + fields: + - log.filter + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113031 || log.messageId==113032 || log.messageId==113033 + #......................................................................# + # ASA-113034,113035,113036,113038,113039 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '(\<)?{{.data}}(\>)?\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==113034 || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==113035 || log.messageId==113038 + #......................................................................# + # ASA-4-113042 + - grok: + patterns: + - fieldName: action + pattern: 'CoA: Non-HTTP connection from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: log.remoteUser + pattern: '(''{{.data}}''|{{.data}})(\s)?at' + - fieldName: log.remoteIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==113042 + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId==113042 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==113042 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==113042 + - trim: + function: suffix + substring: 'at' + fields: + - log.remoteUser + where: log.messageId==113042 + #......................................................................# + # ASA-2-201003 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit exceeded' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.globalIp + pattern: '\({{.data}}\)' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.dstInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==201003 + - trim: + function: prefix + substring: '(' + fields: + - log.globalIp + where: log.messageId==201003 + - trim: + function: suffix + substring: ')' + fields: + - log.globalIp + where: log.messageId==201003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==201003 + #......................................................................# + # ASA-4-209003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Fragment database limit of' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'exceeded:(\s)?src(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'dest(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'proto(\s)?=(\s)?' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'id(\s)?=(\s)?' + - fieldName: log.id + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==209003 + - trim: + function: suffix + substring: ',' + fields: + - origin.ip + - target.ip + - protocol + where: log.messageId==209003 + - cast: + fields: + - log.limit + to: int + where: log.messageId==209003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==209003 + #......................................................................# + # ASA-3-316001 + - grok: + patterns: + - fieldName: action + pattern: 'Denied new tunnel' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==316001 + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==316001 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==316001 + #......................................................................# + # ASA-3-316002 + - grok: + patterns: + - fieldName: action + pattern: 'VPN Handle error' + - fieldName: log.irrelevant + pattern: '\:(\s)?protocol=' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'src\s' + - fieldName: log.inIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: ',(\s)?dst' + - fieldName: log.outIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==316002 + - trim: + function: suffix + substring: ',' + fields: + - protocol + where: log.messageId==316002 + - cast: + fields: + - log.inIfNum + - log.outIfNum + to: int + where: log.messageId==316002 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==316002 + #......................................................................# + # ASA-302003,302004 + # First variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.irrelevant + pattern: '(to\s)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: log.messageId==302003 || log.messageId==302004 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: log.messageId==302003 || log.messageId==302004 + # Parsing from/to ip and port + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.tmpFromip + where: log.messageId==302003 || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpFromip + where: log.messageId==302003 || log.messageId==302004 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: log.messageId==302003 || log.messageId==302004 + # Removing temp fields + - delete: + fields: + - log.tmpFromip + - log.tmpToip + where: log.messageId==302003 || log.messageId==302004 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302003 || log.messageId==302004 + #......................................................................# + # ASA-6-302012 + - grok: + patterns: + - fieldName: action + pattern: 'Pre-allocate H225 Call Signalling Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '/(\s)?{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to laddr' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302012 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + where: log.messageId==302012 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302012 + #......................................................................# + # ASA-6-302013 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302013 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302013 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302013 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302013 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302013 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302013 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: log.messageId==302013 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302013 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302013 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302013 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302013 + #......................................................................# + # ASA-6-302014 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302014 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302014 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302014 + # Parsing AAA user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302014 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302014 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302014 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302014 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302014 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302014 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302014 + #......................................................................# + # ASA-6-302015 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302015 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302015 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302015 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302015 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302015 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302015 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: log.messageId==302015 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302015 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302015 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302015 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302015 + #......................................................................# + # ASA-6-302016 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302016 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302016 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302016 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: log.messageId==302016 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302016 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302016 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302016 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302016 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302016 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302016 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302016 + #......................................................................# + # ASA-6-302017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302017 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302017 + # Parsing translatedCid and, firewall user to and AAA user if present + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpUserInfo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302017 + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302017 + # FW user and AAA user + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + - fieldName: target.user + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: log.messageId==302017 + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: log.messageId==302017 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302017 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - target.user + - log.translatedCid + where: log.messageId==302017 + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + - target.user + where: log.messageId==302017 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpUserInfo + where: log.messageId==302017 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302017 + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: log.messageId==302017 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302017 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302017 + #......................................................................# + # ASA-6-302018 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302018 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302018 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302018 + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: log.messageId==302018 + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: log.messageId==302018 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.translatedCid + where: log.messageId==302018 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302018 + # Cleaning fields + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + where: log.messageId==302018 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302018 + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: log.messageId==302018 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302018 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302018 + #......................................................................# + # ASA-6-302020, 302021 + # 302020 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302020 + # 302021 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302021 + # Common parsing for 302020 and 302021 + # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # icmpSeqNum variants + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Cleaning icmpSeqNum + - trim: + function: suffix + substring: 'gaddr' + fields: + - log.icmpSeqNum + where: log.messageId==302020 || log.messageId==302021 + # Continue with firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302020 || log.messageId==302021 + # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.globalPort + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # icmpType variants + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Cleaning icmpType + - trim: + function: suffix + substring: 'laddr' + fields: + - log.icmpType + where: log.messageId==302020 || log.messageId==302021 + - trim: + function: suffix + substring: 'code' + fields: + - log.icmpType + where: log.messageId==302020 || log.messageId==302021 + # Continue with global firewall + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.globalFirewallUser + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserGlobal + where: log.messageId==302020 || log.messageId==302021 + # For parsing laddr and fwuser to (Begin with ip/port) + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Continue with firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302020 || log.messageId==302021 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - origin.ip + where: log.messageId==302020 || log.messageId==302021 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.globalFirewallUser + where: log.messageId==302020 || log.messageId==302021 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpFwUserGlobal + - log.tmpFaddrAndFwUser + - log.tmpGaddrAndFwUser + - log.tmpLaddrAndFwUser + where: log.messageId==302020 || log.messageId==302021 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302020 || log.messageId==302021 + #......................................................................# + # ASA-6-302022, 302024, 302026 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.role + pattern: '({{.data}})stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortTo + pattern: '\({{.data}}\)' + source: log.msg + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port to, from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Cleaning fields + - trim: + function: suffix + substring: 'stub' + fields: + - log.role + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Removing tmp fields + - delete: + fields: + - log.tmpMappedIpPortFrom + - log.tmpMappedIpPortTo + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302022 || log.messageId==302024 || log.messageId==302026 + #......................................................................# + # ASA-6-302023, 302025, 302027 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302023 || log.messageId==302025 || log.messageId==302027 + #......................................................................# + # ASA-302033,302034 + - grok: + patterns: + - fieldName: action + pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.tmpPortFrom + pattern: '{{.data}}to laddr' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.tmpIpPortTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302033 || log.messageId==302034 + # Parsing optional ports from y to + - grok: + patterns: + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpPortFrom + where: log.messageId==302033 || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + source: log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302033 || log.messageId==302034 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302033 || log.messageId==302034 + # Remove tmp fields + - delete: + fields: + - log.tmpPortFrom + - log.tmpIpPortTo + where: log.messageId==302033 || log.messageId==302034 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302033 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==302034 + #......................................................................# + #ASA-6-302035 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s{{.word}}\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302035 + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: log.messageId==302035 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302035 + # Parsing port to, firewall user to, and, from user + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302035 + # Without user info + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.rest + where: log.messageId==302035 + # Parsing firewall user to + # With origin.user + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302035 + # Without origin.user + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302035 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302035 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302035 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302035 + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302035 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302035 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302035 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302035 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302035 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302035 + #......................................................................# + # ASA-6-302036 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302036 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302036 + # Decoding outside and inside firewall user, and sg_info + # Side from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302036 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302036 + # Side to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302036 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: log.messageId==302036 + # Parsing origin.user from log.reason field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.reason + where: log.messageId==302036 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: log.messageId==302036 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302036 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302036 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302036 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302036 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302036 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302036 + #......................................................................# + # ASA-6-302303 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302303 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302303 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302303 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302303 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302303 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302303 + #......................................................................# + # ASA-6-302304 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302304 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302304 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302304 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302304 + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: log.messageId==302304 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302304 + #......................................................................# + # ASA-6-302305 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302305 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302305 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302305 + # Parsing port to, firewall user to, and, from user + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.rest + where: log.messageId==302305 + # Without user info + - grok: + patterns: + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.rest + where: log.messageId==302305 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302305 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302305 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302305 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302305 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302305 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302305 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: log.messageId==302305 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302305 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302305 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302305 + #......................................................................# + # ASA-6-302306 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==302306 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==302306 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==302306 + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.tmpFwUserTo + where: log.messageId==302306 + + # Decoding outside and inside sg_info + - grok: + patterns: + - fieldName: log.firewallUserFrom + pattern: '{{.data}}(\s)?,' + - fieldName: log.outsideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserFrom + where: log.messageId==302306 + - grok: + patterns: + - fieldName: log.firewallUserTo + pattern: '{{.data}}(\s)?,' + - fieldName: log.insideSgInfo + pattern: '{{.data}}\)' + source: log.firewallUserTo + where: log.messageId==302306 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.insideSgInfo + - log.outsideSgInfo + where: log.messageId==302306 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: log.messageId==302306 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==302306 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==302306 + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: log.messageId==302306 + - trim: + function: suffix + substring: ',' + fields: + - log.firewallUserFrom + - log.firewallUserTo + where: log.messageId==302306 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==302306 + #......................................................................# + # ASA-6-305009 + - grok: + patterns: + - fieldName: action + pattern: 'Built (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.mappedIpTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305009 + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: log.messageId==305009 + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: log.messageId==305009 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305009 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: log.messageId==305009 + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: log.messageId==305009 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305009 + #......................................................................# + # ASA-6-305010 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: log.messageId==305010 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305010 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: log.messageId==305010 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305010 + #......................................................................# + # ASA-6-305011 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==305011 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305011 + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305011 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: log.messageId==305011 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + where: log.messageId==305011 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305011 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==305011 + #......................................................................# + # ASA-6-305012 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: log.messageId==305012 + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: log.messageId==305012 + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==305012 + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: log.messageId==305012 + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: log.messageId==305012 + # Parsing srcInterface from himself to avoid parsing issues + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.srcInterface + where: log.messageId==305012 + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: log.messageId==305012 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + where: log.messageId==305012 + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: log.messageId==305012 + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: log.messageId==305012 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==305012 + #......................................................................# + # ASA-3-322001 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sMAC\saddress' + - fieldName: log.localMac + pattern: '{{.data}}(\s)?,' + - fieldName: log.reason + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322001 + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==322001 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.localMac + where: log.messageId==322001 + - trim: + function: suffix + substring: 'on' + fields: + - log.reason + where: log.messageId==322001 + #......................................................................# + # ASA-3-322002 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.boudSrcMac + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322002 + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: log.messageId==322002 + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==322002 + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: log.messageId==322002 + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: log.messageId==322002 + #......................................................................# + # ASA-3-322003 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==322003 + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: log.messageId==322003 + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==322003 + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: log.messageId==322003 + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: log.messageId==322003 + #......................................................................# + # ASA-4-400000 to 400050 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPS\:(\s)?' + - fieldName: log.signatureId + pattern: '{{.integer}}' + - fieldName: action + pattern: '{{.data}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId>=400000 && log.messageId<=400050 + # Cleaning action before extract protocol + - trim: + function: suffix + substring: 'from' + fields: + - action + where: log.messageId>=400000 && log.messageId<=400050 + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: (log.messageId>=400000 && log.messageId<=400022) || (log.messageId>=400026 && log.messageId<=400040) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==400023 || log.messageId==400024 || log.messageId==400041 + #......................................................................# + # ASA-4-402114 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402114 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402114 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402114 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + where: log.messageId==402114 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402114 + #......................................................................# + # ASA-4-402115 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\sa\spacket' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'containing' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'data instead of' + - fieldName: log.expectedProtocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402115 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402115 + #......................................................................# + # ASA-4-402116 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktDestAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktSrcAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktProto + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.localProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.localProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.localProxyProto + pattern: '{{.data}}/' + - fieldName: log.localProxyPort + pattern: '{{.data}}and' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.remoteProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.remoteProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.remoteProxyProto + pattern: '{{.data}}/' + - fieldName: log.remoteProxyPort + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402116 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402116 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402116 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402116 + - trim: + function: suffix + substring: '/' + fields: + - log.localProxyIpAddr + - log.localProxyIpMask + - log.localProxyProto + - log.remoteProxyIpAddr + - log.remoteProxyIpMask + - log.remoteProxyPort + - log.remoteProxyProto + where: log.messageId==402116 + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402116 + - trim: + function: suffix + substring: 'and' + fields: + - log.localProxyPort + where: log.messageId==402116 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402116 + #......................................................................# + # ASA-4-402117 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402117 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received a non-IPsec \(' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402117 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402117 + #......................................................................# + # ASA-4-402118 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}length' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'with offset' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==402118 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402118 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402118 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402118 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402118 + #......................................................................# + # ASA-4-402119, 402120 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==402119 || log.messageId==402120 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==402119 || log.messageId==402120 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: log.messageId==402119 || log.messageId==402120 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: log.messageId==402119 || log.messageId==402120 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==402119 || log.messageId==402120 + #......................................................................# + # ASA-5-402128 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CRYPTO\:(\s)?' + - fieldName: action + pattern: 'An attempt to allocate a large memory block' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memorySize + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memoryLimit + pattern: '{{.integer}}' + source: log.msg + where: log.messageId==402128 + #......................................................................# + # ASA-4-405001 + - grok: + patterns: + - fieldName: action + pattern: 'Received ARP (request|response) collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}with' + - fieldName: log.irrelevant + pattern: 'existing ARP entry' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.mac + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==405001 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ARP' + where: log.messageId==405001 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==405001 + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: log.messageId==405001 + - trim: + function: suffix + substring: 'with' + fields: + - log.srcInterface + where: log.messageId==405001 + #......................................................................# + # ASA-4-405002 + - grok: + patterns: + - fieldName: action + pattern: 'Received mac mismatch collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==405002 + # Cleaning fields + - trim: + function: suffix + substring: 'for' + fields: + - origin.mac + where: log.messageId==405002 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: log.messageId==405002 + #......................................................................# + # ASA-4-406001 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command low port(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==406001 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: log.messageId==406001 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: log.messageId==406001 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: log.messageId==406001 + #......................................................................# + # ASA-4-406002 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command different address(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.connectionIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '(\s)?\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==406002 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: log.messageId==406002 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: log.messageId==406002 + #......................................................................# + # ASA-4-407002 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit {{.data}} for through connections exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}\.' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '(\s)?\)(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==407002 + # Connection number and connection limit + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Embryonic limit' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==407002 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==407002 + #......................................................................# + # ASA-6-603109 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown PPPOE Tunnel' + - fieldName: log.irrelevant + pattern: 'at' + - fieldName: log.srcInterface + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'tunnel-id(\s)?=(\s)?' + - fieldName: log.tunnelId + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'remote-peer(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==603109 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==603109 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.srcInterface + - log.tunnelId + where: log.messageId==603109 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==603109 + #......................................................................# + # ASA-6-605004 + - grok: + patterns: + - fieldName: action + pattern: 'Login\s{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.service + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'user' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==605004 + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Login' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + source: action + where: log.messageId==605004 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==605004 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==605004 + - trim: + function: suffix + substring: 'for' + fields: + - log.service + where: log.messageId==605004 + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: log.messageId==605004 + - trim: + function: prefix + substring: '"' + fields: + - origin.user + where: log.messageId==605004 + - trim: + function: suffix + substring: '"' + fields: + - origin.user + where: log.messageId==605004 + #......................................................................# + # ASA-6-617100 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown {{.integer}} connection(\s)?(\(s\))?' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==617100 + # Connection number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==617100 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==617100 + #......................................................................# + # ASA-2-106018 + - grok: + patterns: + - fieldName: action + pattern: 'ICMP packet' + - fieldName: log.irrelevant + pattern: 'type' + - fieldName: log.icmpType + pattern: '{{.data}}\s' + - fieldName: log.ciscoResult + pattern: 'denied' + - fieldName: log.irrelevant + pattern: 'by' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'list' + - fieldName: log.accessList + pattern: '{{.data}}src' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'dest' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106018 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ICMP' + where: log.messageId==106018 + # Cleaning fields + - trim: + function: suffix + substring: 'src' + fields: + - log.accessList + where: log.messageId==106018 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106018 + #......................................................................# + # ASA-2-106020 + - grok: + patterns: + - fieldName: action + pattern: 'Deny IP teardrop fragment' + - fieldName: log.irrelevant + pattern: '\((\s)?size(\s)?=' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',(\s)?offset(\s)?=' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)(\s)?from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==106020 + # Adding log.ciscoResult + - add: + function: 'string' + params: + key: log.ciscoResult + value: 'Denied' + where: log.messageId==106020 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==106020 + #......................................................................# + # ASA-6-611301 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with no split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611301 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611301 + #......................................................................# + # ASA-6-611303 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611303 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611303 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==611303 + #......................................................................# + # ASA-6-611304 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT exemption configured for Network Extension Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611304 + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: log.messageId==611304 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==611304 + #......................................................................# + # ASA-6-611307 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Head end\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611307 + # Adding action and log.ciscoResult + - add: + function: 'string' + params: + key: action + value: 'The VPN client is connected to the specified headend' + where: log.messageId==611307 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611307 + #......................................................................# + # ASA-6-611309 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'Disconnecting from head end and uninstalling previously downloaded policy' + - fieldName: log.irrelevant + pattern: '{{.data}}End\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611309 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611309 + #......................................................................# + # ASA-6-611310,611311 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'XAUTH' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?Peer(\s)?\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611310 || log.messageId==611311 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611310 + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==611311 + #......................................................................# + # ASA-6-611314 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}server' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611314 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Load Balancing Cluster redirected the Secure Firewall' + where: log.messageId==611314 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611314 + #......................................................................# + # ASA-6-611315 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611315 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Disconnecting from Load Balancing Cluster' + where: log.messageId==611315 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==611315 + #......................................................................# + # ASA-6-611318 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'User Authentication Enabled' + - fieldName: log.irrelevant + pattern: '{{.data}}IP(\s)?\:' + - fieldName: log.authServerIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Port(\s)?\:' + - fieldName: log.authServerPort + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}out(\s)?\:' + - fieldName: log.timeOut + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==611318 + #......................................................................# + # ASA-3-710003 + - grok: + patterns: + - fieldName: action + pattern: '(TCP|UDP) access denied by ACL' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==710003 + # Protocol and log.ciscoResult + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==710003 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: log.messageId==710003 + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: log.messageId==710003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==710003 + #......................................................................# + # ASA-5-713252,713253 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Username(\s)?=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}available(\.)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==713252 || log.messageId==713253 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==713252 || log.messageId==713253 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==713252 || log.messageId==713253 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==713252 || log.messageId==713253 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==713252 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==713253 + #......................................................................# + # ASA-6-716001,716002,716003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716001 || log.messageId==716002 || log.messageId==716003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716001 || log.messageId==716002 + #......................................................................# + # ASA-6-716004,716005,716006,716007,716009 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716004 || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==716004 || log.messageId==716007 || log.messageId==716009 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716006 + #......................................................................# + # ASA-6-716038 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716038 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==716038 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: log.messageId==716038 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716038 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: log.messageId==716038 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==716038 + - trim: + function: suffix + substring: ',' + fields: + - action + where: log.messageId==716038 + #......................................................................# + # ASA-6-716039 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==716039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==716039 + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - action + - origin.user + where: log.messageId==716039 + - trim: + function: suffix + substring: 'user' + fields: + - origin.group + where: log.messageId==716039 + #......................................................................# + # ASA-6-719017,719019,719020,719021,719022,719023 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + # Adding log.ciscoResult and modifying some actions + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==719019 || log.messageId==719023 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==719020 || log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user is not checked against ACL' + where: log.messageId==719021 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has been authenticated' + where: log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has not been authenticated' + where: log.messageId==719023 + # Cleaning fields + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==719017 || (log.messageId>=719019 && log.messageId<=719023) + #......................................................................# + # ASA-6-719018 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'ACL ID' + - fieldName: log.accessList + pattern: '{{.data}}not' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719018 + # Cleaning fields + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: log.messageId==719018 + - trim: + function: suffix + substring: 'not' + fields: + - log.accessList + where: log.messageId==719018 + #......................................................................# + # ASA-6-719024 + - grok: + patterns: + - fieldName: action + pattern: 'Email Proxy piggyback auth fail' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.sessionPointer + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}}addr' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==719024 + # Cleaning fields + - trim: + function: suffix + substring: 'user' + fields: + - log.sessionPointer + where: log.messageId==719024 + - trim: + function: suffix + substring: 'addr' + fields: + - origin.user + where: log.messageId==719024 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: log.messageId==719024 + #......................................................................# + # ASA-7-609002 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown local-host' + - fieldName: log.zoneName + pattern: '{{.data}}/' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==609002 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - log.zoneName + where: log.messageId==609002 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==609002 + #......................................................................# + # ASA-6-611305 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient(\s)?\:' + - fieldName: action + pattern: 'DHCP Policy installed' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.primaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.secondaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.primaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.secondaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: log.messageId==611305 + #......................................................................# + # ASA-4-733100 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733100 + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: log.messageId==733100 + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.data}}drop' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==733100 + # Cleaning fields + - trim: + function: suffix + substring: 'drop' + fields: + - log.dropSourceObject + where: log.messageId==733100 + - trim: + function: suffix + substring: ']' + fields: + - log.dropSourceObject + where: log.messageId==733100 + - trim: + function: prefix + substring: '[' + fields: + - log.dropSourceObject + where: log.messageId==733100 + #......................................................................# + # ASA-4-733101 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}(targeted|attacking)' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733101 + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: log.messageId==733101 + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.word}}' + - fieldName: log.tmpIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: log.messageId==733101 + # Renaming from or to ip, according to -> if (targeted|attacking) + - rename: + from: + - log.tmpIp + to: origin.ip + where: log.messageId==733101 && contains("action", "attacking") + - rename: + from: + - log.tmpIp + to: target.ip + where: log.messageId==733101 && contains("action", "targeted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: log.messageId==733101 + #......................................................................# + # ASA-4-733102, 733103 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}host' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: log.messageId==733102 || log.messageId==733103 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Threat-detection add host to shun list' + where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "add") + - add: + function: 'string' + params: + key: action + value: 'Threat-detection removes host to shun list' + where: (equals("log.messageId", 733102) || equals("log.messageId", 733103)) && contains("log.msg", "removes") + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["1", "2", "3"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["5", "6", "7"]) + #......................................................................# + # Adding common geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + # Adding log.mappedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpFrom + destination: log.mappedIpFrom.geolocation + where: exists("log.mappedIpFrom") + # Adding log.mappedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpTo + destination: log.mappedIpTo.geolocation + where: exists("log.mappedIpTo") + # Adding log.translatedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpFrom + destination: log.translatedIpFrom.geolocation + where: exists("log.translatedIpFrom") + # Adding log.translatedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpTo + destination: log.translatedIpTo.geolocation + where: exists("log.translatedIpTo") + # Adding log.globalIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.globalIp + destination: log.globalIp.geolocation + where: exists("log.globalIp") + # Adding log.remoteIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteIp + destination: log.remoteIp.geolocation + where: exists("log.remoteIp") + # Adding log.mappedIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIp + destination: log.mappedIp.geolocation + where: exists("log.mappedIp") + # Adding log.decapsulatedPktDestAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktDestAddr + destination: log.decapsulatedPktDestAddr.geolocation + where: exists("log.decapsulatedPktDestAddr") + # Adding log.decapsulatedPktSrcAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktSrcAddr + destination: log.decapsulatedPktSrcAddr.geolocation + where: exists("log.decapsulatedPktSrcAddr") + # Adding log.localProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localProxyIpAddr + destination: log.localProxyIpAddr.geolocation + where: exists("log.localProxyIpAddr") + # Adding log.remoteProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteProxyIpAddr + destination: log.remoteProxyIpAddr.geolocation + where: exists("log.remoteProxyIpAddr") + # Adding log.primaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryDns + destination: log.primaryDns.geolocation + where: exists("log.primaryDns") + # Adding log.secondaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryDns + destination: log.secondaryDns.geolocation + where: exists("log.secondaryDns") + # Adding log.primaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryWins + destination: log.primaryWins.geolocation + where: exists("log.primaryWins") + # Adding log.secondaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryWins + destination: log.secondaryWins.geolocation + where: exists("log.secondaryWins") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + # Removing unused fields + - delete: + fields: + - log.asaHeader + - log.ciscoSeparator + - log.irrelevant + - log.syslogPri + - log.rest + + + $$ + WHERE id = 301 ; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml b/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml new file mode 100644 index 000000000..207beaa8e --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210002_update_filter_cisco_switch.xml @@ -0,0 +1,181 @@ + + + + + + + Syslog +# +# 1. Parsing the message field +pipeline: + - dataTypes: + - cisco-switch + steps: + # Header fields + - grok: + patterns: + - fieldName: log.switchHeader + pattern: '{{.data}}%' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.irrelevant + pattern: '{{.integer}}(\s)?\:' + - fieldName: log.ciscoTime + pattern: '{{.greedy}}' + source: log.switchHeader + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.monthName}}{{.greedy}}' + source: log.switchHeader + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.monthName}}{{.greedy}}' + source: log.switchHeader + #......................................................................# + # Beginning message parsing + # Variant -> %FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text + - grok: + patterns: + - fieldName: log.facility + pattern: '{{.data}}-' + - fieldName: log.severity + pattern: '{{.data}}{{.integer}}' + - fieldName: log.facilityMnemonic + pattern: '{{.data}}\:' + - fieldName: log.ciscoMsg + pattern: '{{.greedy}}' + source: log.msg + where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))' + # Extracting subfacility if present + - grok: + patterns: + - fieldName: log.subFacility + pattern: '{{.greedy}}-' + - fieldName: log.severity + pattern: '{{.integer}}' + source: log.severity + where: '(!contains("log.msg", "-MSG:SLOT")) && (!contains("log.msg", "-MSG: SLOT"))' + # -------------------------- + # Variant -> %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text + - grok: + patterns: + - fieldName: log.card + pattern: '{{.data}}-' + - fieldName: log.irrelevant + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.slot + pattern: 'SLOT{{.integer}}' + - fieldName: log.tmpFacilityMnemonic + pattern: '{{.data}}\:' + - fieldName: log.ciscoMsg + pattern: '{{.greedy}}' + source: log.msg + where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")' + + - trim: + function: prefix + substring: '%' + fields: + - log.tmpFacilityMnemonic + where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")' + # %FACILITY-SEVERITY-MNEMONIC + - grok: + patterns: + - fieldName: log.facility + pattern: '{{.data}}-' + - fieldName: log.severity + pattern: '{{.data}}{{.integer}}' + - fieldName: log.facilityMnemonic + pattern: '{{.data}}\:' + source: log.tmpFacilityMnemonic + where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")' + # Extracting subfacility if present + - grok: + patterns: + - fieldName: log.subFacility + pattern: '{{.greedy}}-' + - fieldName: log.severity + pattern: '{{.integer}}' + source: log.severity + where: 'contains("log.msg", "-MSG:SLOT") || contains("log.msg", "-MSG: SLOT")' + + # Cleaning common fields + - trim: + function: suffix + substring: '-' + fields: + - log.facility + - log.subFacility + - log.card + - trim: + function: suffix + substring: '%' + fields: + - log.ciscoTime + - trim: + function: suffix + substring: ':' + fields: + - log.facilityMnemonic + - log.ciscoTime + - trim: + function: prefix + substring: '-' + fields: + - log.facilityMnemonic + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severity", ["0", "1", "2", "3"]) + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severity", ["5", "6", "7"]) + #......................................................................# + # Removing unused fields + - delete: + fields: + - log.switchHeader + - log.irrelevant + - log.tmpFacilityMnemonic + $$ + WHERE id = 1510 ; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml b/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml new file mode 100644 index 000000000..2e35a2350 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210003_update_filter_cisco_firepower.xml @@ -0,0 +1,5161 @@ + + + + + + + Syslog +# +# 1. Parsing the message field containing the Cisco Firepower log +pipeline: + - dataTypes: + - firewall-cisco-firepower + steps: + # Common Firepower fields + - grok: + patterns: + - fieldName: log.syslogPri + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.firePowerHeader + pattern: '{{.data}}FTD-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.day}}\s{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.firePowerHeader + pattern: '{{.data}}FTD-' + - fieldName: log.severity + pattern: '{{.integer}}' + - fieldName: log.messageId + pattern: '-{{.integer}}' + - fieldName: log.ciscoSeparator + pattern: '\:{{.space}}' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + #......................................................................# + # Adding log.localIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + # Removing unwanted prefixes + - trim: + function: prefix + substring: '-' + fields: + - log.messageId + # Field conversions + - cast: + fields: + - log.messageId + to: int + # Begining specific message parsing + #......................................................................# + # FTD-2-106001 + - grok: + patterns: + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '/{{.integer}}' + - fieldName: log.irrelevant + pattern: 'flags' + - fieldName: log.flags + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106001) + + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106001) + #......................................................................# + # FTD-2-106017 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'IP\sdue\sto' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + source: log.msg + where: equals("log.messageId", 106017) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 106017) + #......................................................................# + # FTD-1-106021 + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: action + pattern: '{{.greedy}}from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.irrelevant + pattern: 'on\sinterface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106021) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 106021) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106021) + #......................................................................# + # FTD-2-106101 + - grok: + patterns: + - fieldName: action + pattern: 'Number of cached deny-flows for ACL log has reached limit' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106101) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Number of cached' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 106101) + # Parsing the limit number + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.numFlows + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 106101) + # Field conversions + - cast: + fields: + - log.numFlows + to: int + where: equals("log.messageId", 106101) + #......................................................................# + # FTD-6-106102,FTD-4-106103 + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'access-list' + - fieldName: log.accessList + pattern: '{{.data}}\s' + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})\s' + - fieldName: log.srcInterface + pattern: '{{.data}}/' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: origin.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: log.dstInterface + pattern: '{{.data}}/' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: target.port + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'hit-cnt' + - fieldName: log.hitCount + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: '/' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: prefix + substring: '(' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + - trim: + function: suffix + substring: ')' + fields: + - origin.port + - target.port + where: equals("log.messageId", 106102) || equals("log.messageId", 106103) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && equalsIgnoreCase("actionResult", "Permitted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: exists("actionResult") && (equals("log.messageId", 106102) || equals("log.messageId", 106103)) && !equalsIgnoreCase("actionResult", "Permitted") + #......................................................................# + # FTD-6-109101 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA disconnect request' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with\saudit-session-id:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109101) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109101) + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: equals("log.messageId", 109101) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109101) + #......................................................................# + # FTD-4-109102 + - grok: + patterns: + - fieldName: action + pattern: 'Received CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ', but cannot find named session' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109102) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109102) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109102) + #......................................................................# + # FTD-3-109103 + - grok: + patterns: + - fieldName: action + pattern: 'CoA {{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'failed for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}),' + - fieldName: log.irrelevant + pattern: 'with session ID:' + - fieldName: log.auditSessionId + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 109103) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CoA' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 109103) + - trim: + function: suffix + substring: ',' + fields: + - origin.user + where: equals("log.messageId", 109103) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 109103) + #......................................................................# + # FTD-109201 to 109213 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'UAUTH(:)? Session(\s|=)' + - fieldName: log.session + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'User(\s|=)' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Assigned IP(\s|=)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + - trim: + function: suffix + substring: ',' + fields: + - log.session + - origin.user + where: lgreaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: greaterOrEqual("log.messageId", 109201) && log.messageId<=109213 + #......................................................................# + # FTD-6-113004 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user {{.word}} Successful' + - fieldName: log.irrelevant + pattern: '\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113004) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user {{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113004) + - trim: + function: suffix + substring: ':' + fields: + - target.ip + where: equals("log.messageId", 113004) + - trim: + function: suffix + substring: ',' + fields: + - target.ip + where: equals("log.messageId", 113004) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113004) + #......................................................................# + # FTD-6-113005 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)' + - fieldName: log.reason + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(server|Server)(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.data}}(\:|,)' + - fieldName: log.irrelevant + pattern: '(U|u)ser IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113005) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113005) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: equals("log.messageId", 113005) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113005) + #......................................................................# + # FTD-6-113008 + - grok: + patterns: + - fieldName: action + pattern: 'AAA transaction status ACCEPT(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?(u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113008) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113008) + #......................................................................# + # FTD-6-113009 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113009) + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: equals("log.messageId", 113009) + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: equals("log.messageId", 113009) + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved default group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113009) + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: equals("log.messageId", 113009) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113009) + #......................................................................# + # FTD-6-113010 + - grok: + patterns: + - fieldName: action + pattern: 'AAA challenge received for user' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}}) from server' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113010) + - trim: + function: suffix + substring: 'from server' + fields: + - origin.user + where: equals("log.messageId", 113010) + #......................................................................# + # FTD-6-113011 + # First variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'for (u|U)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113011) + - trim: + function: prefix + substring: '(' + fields: + - log.policy + where: equals("log.messageId", 113011) + - trim: + function: suffix + substring: ')' + fields: + - log.policy + where: equals("log.messageId", 113011) + # Second variant + - grok: + patterns: + - fieldName: action + pattern: 'AAA retrieved user specific group policy' + - fieldName: log.policy + pattern: '{{.data}}\sfor' + - fieldName: log.irrelevant + pattern: '(u|U)ser(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113011) + - trim: + function: suffix + substring: 'for' + fields: + - log.policy + where: equals("log.messageId", 113011) + #......................................................................# + # FTD-6-113012 + - grok: + patterns: + - fieldName: action + pattern: 'AAA user authentication Successful(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?local database(\s)?:(\s)?user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113012) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA user authentication' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113012) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113012) + #......................................................................# + # FTD-6-113013 + - grok: + patterns: + - fieldName: action + pattern: 'AAA unable to complete the request' + - fieldName: log.irrelevant + pattern: 'Error(\s)?:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}\:' + - fieldName: log.irrelevant + pattern: 'user(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113013) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + where: equals("log.messageId", 113013) + #......................................................................# + # FTD-6-113014 + - grok: + patterns: + - fieldName: action + pattern: 'AAA authentication server not accessible(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113014) + #......................................................................# + # FTD-6-113015, 113017 + - grok: + patterns: + - fieldName: action + pattern: '(AAA user authentication|AAA credentials)\s(R|r)ejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'local database(\s)?:(\s)?(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - origin.user + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(AAA user authentication|AAA credentials)\s' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113015) || equals("log.messageId", 113017) + #......................................................................# + # FTD-6-113016 + - grok: + patterns: + - fieldName: action + pattern: 'AAA credentials rejected(\s)?' + - fieldName: log.irrelevant + pattern: '\:(\s)?reason(\s)?=(\s)?' + - fieldName: log.reason + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: 'server(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}}(\s)?\:' + - fieldName: log.irrelevant + pattern: '(U|u)ser(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?:' + - fieldName: log.irrelevant + pattern: 'user IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113016) + - trim: + function: suffix + substring: ':' + fields: + - log.reason + - target.ip + - origin.user + where: equals("log.messageId", 113016) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'AAA credentials' + - fieldName: log.ciscoResult + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 113016) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113016) + #......................................................................# + # FTD-4-113019 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=(\s)?' + - fieldName: origin.group + pattern: '{{.data}}(\s)?,' + - fieldName: log.irrelevant + pattern: '(U|u)sername(\s)?=(\s)?' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?,' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: action + pattern: '(\s)?Session disconnected\.' + - fieldName: log.irrelevant + pattern: '(\s)?Session Type:(\s)?' + - fieldName: log.sessionType + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Duration:(\s)?' + - fieldName: log.duration + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes xmt:(\s)?' + - fieldName: origin.bytesSent + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Bytes rcv:(\s)?' + - fieldName: origin.bytesReceived + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '(\s)?Reason:(\s)?' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113019) + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + - log.sessionType + - log.duration + - origin.bytesSent + - origin.bytesReceived + where: equals("log.messageId", 113019) + - cast: + fields: + - origin.bytesSent + - origin.bytesReceived + to: int + where: equals("log.messageId", 113019) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113019) + #......................................................................# + # FTD-113031,113032,113033 + # Common fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|{{.data}})(\s)?IP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + # Specific fields + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.filter + pattern: '{{.data}}\sis' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - grok: + patterns: + - fieldName: action + pattern: 'AnyConnect (vpn-filter|ipv6-vpn-filter|session not allowed)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + - trim: + function: suffix + substring: 'is' + fields: + - log.filter + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113031) || log.messageId==113032 || log.messageId==113033 + #......................................................................# + # FTD-113034,113035,113036,113038,113039 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '(\<)?{{.data}}(\>)?\sUser' + - fieldName: origin.user + pattern: '(''{{.data}}''|(\<)?{{.data}}(\>)?)(\s)?IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 113034) || log.messageId==113035 || log.messageId==113036 || log.messageId==113038 || log.messageId==113039 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 113039) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 113035) || log.messageId==113038 + #......................................................................# + # FTD-4-113042 + - grok: + patterns: + - fieldName: action + pattern: 'CoA: Non-HTTP connection from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for user' + - fieldName: log.remoteUser + pattern: '(''{{.data}}''|{{.data}})(\s)?at' + - fieldName: log.remoteIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: 'from' + fields: + - action + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 113042) + - trim: + function: suffix + substring: 'at' + fields: + - log.remoteUser + where: equals("log.messageId", 113042) + #......................................................................# + # FTD-2-201003 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit exceeded' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.globalIp + pattern: '\({{.data}}\)' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '/(\s)?' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.dstInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 201003) + - trim: + function: prefix + substring: '(' + fields: + - log.globalIp + where: equals("log.messageId", 201003) + - trim: + function: suffix + substring: ')' + fields: + - log.globalIp + where: equals("log.messageId", 201003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 201003) + #......................................................................# + # FTD-4-209003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Fragment database limit of' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'exceeded:(\s)?src(\s)?=(\s)?' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'dest(\s)?=(\s)?' + - fieldName: target.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'proto(\s)?=(\s)?' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'id(\s)?=(\s)?' + - fieldName: log.id + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 209003) + - trim: + function: suffix + substring: ',' + fields: + - origin.ip + - target.ip + - protocol + where: equals("log.messageId", 209003) + - cast: + fields: + - log.limit + to: int + where: equals("log.messageId", 209003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 209003) + #......................................................................# + # FTD-3-316001 + - grok: + patterns: + - fieldName: action + pattern: 'Denied new tunnel' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 316001) + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 316001) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 316001) + #......................................................................# + # FTD-3-316002 + - grok: + patterns: + - fieldName: action + pattern: 'VPN Handle error' + - fieldName: log.irrelevant + pattern: '\:(\s)?protocol=' + - fieldName: protocol + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'src\s' + - fieldName: log.inIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: ',(\s)?dst' + - fieldName: log.outIfNum + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 316002) + - trim: + function: suffix + substring: ',' + fields: + - protocol + where: equals("log.messageId", 316002) + - cast: + fields: + - log.inIfNum + - log.outIfNum + to: int + where: equals("log.messageId", 316002) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 316002) + #......................................................................# + # FTD-6-302003,302004 + # First variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.irrelevant + pattern: '(to\s)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: equals("log.messageId", 302003) || log.messageId==302004 + # Second variant + - grok: + patterns: + - fieldName: action + pattern: '(Built H245 connection|Pre-allocate H323 UDP backconnection)' + - fieldName: log.irrelevant + pattern: 'for' + - fieldName: log.foreignAddress + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpToip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + - fieldName: log.localAddress + pattern: '({{.ipv4}}|{{.ipv6}})' + - fieldName: log.tmpFromip + pattern: '({{.ipv4}}|{{.ipv6}})((\s)?/(\s)?{{.integer}}|(\s)?/)?' + source: log.msg + where: equals("log.messageId", 302003) || log.messageId==302004 + # Parsing from/to ip and port + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.tmpFromip + where: equals("log.messageId", 302003) || log.messageId==302004 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.tmpFromip + where: equals("log.messageId", 302003) || log.messageId==302004 + - trim: + function: prefix + substring: '/' + fields: + - origin.port + - target.port + where: equals("log.messageId", 302003) || log.messageId==302004 + # Removing temp fields + - delete: + fields: + - log.tmpFromip + - log.tmpToip + where: equals("log.messageId", 302003) || log.messageId==302004 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302003) || log.messageId==302004 + #......................................................................# + # FTD-6-302012 + - grok: + patterns: + - fieldName: action + pattern: 'Pre-allocate H225 Call Signalling Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: origin.port + pattern: '/(\s)?{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to laddr' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302012) + - trim: + function: prefix + substring: '/' + fields: + - origin.port + where: equals("log.messageId", 302012) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302012) + #......................................................................# + # FTD-6-302013 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302013) + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpDirection + where: equals("log.messageId", 302013) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302013) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302013) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302013) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302013) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: equals("log.messageId", 302013) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302013) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302013) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302013) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302013) + #......................................................................# + # FTD-6-302014 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown\s(Probe)?' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302014) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302014) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302014) + # Parsing AAA user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302014) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302014) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302014) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302014) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302014) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302014) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302014) + #......................................................................# + # FTD-6-302015 + - grok: + patterns: + - fieldName: log.tmpDirection + pattern: 'Built\s{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302015) + # Parsing direction field + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.greedy}}' + source: log.tmpDirection + where: equals("log.messageId", 302015) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302015) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302015) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302015) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302015) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + where: equals("log.messageId", 302015) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302015) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302015) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302015) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302015) + #......................................................................# + # FTD-6-302016 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection' + - fieldName: log.connectionId + pattern: '({{.data}})for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302016) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302016) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302016) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: equals("log.messageId", 302016) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302016) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + where: equals("log.messageId", 302016) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302016) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302016) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302016) + - trim: + function: suffix + substring: 'for' + fields: + - log.connectionId + where: equals("log.messageId", 302016) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302016) + #......................................................................# + # FTD-6-302017 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302017) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302017) + # Parsing translatedCid and, firewall user to and AAA user if present + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpUserInfo + pattern: '{{.greedy}}' + source: log.rest + where: equals("log.messageId", 302017) + - grok: + patterns: + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302017) + # FW user and AAA user + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + - fieldName: target.user + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: equals("log.messageId", 302017) + - grok: + patterns: + - fieldName: log.tmpFwUserTo + pattern: '\({{.data}}\)' + source: log.tmpUserInfo + where: equals("log.messageId", 302017) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - target.user + - log.translatedCid + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + - target.user + where: equals("log.messageId", 302017) + # Removing tmp fields + - delete: + fields: + - log.tmpDirection + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpUserInfo + where: equals("log.messageId", 302017) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: equals("log.messageId", 302017) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302017) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302017) + #......................................................................# + # FTD-6-302018 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown GRE connection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.translatedIpFrom + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.realCid + pattern: '{{.data}}\(' + - fieldName: log.translatedIpTo + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.translatedCid + pattern: '{{.data}}\)' + - fieldName: log.tmpFwUserTo + pattern: '({{.data}})?duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302018) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302018) + # Parsing firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302018) + # Parsing firewall user to, and AAA name of the user if exists + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + source: log.rest + where: equals("log.messageId", 302018) + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + source: log.rest + where: equals("log.messageId", 302018) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - origin.user + - log.translatedCid + where: equals("log.messageId", 302018) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + where: equals("log.messageId", 302018) + # Cleaning fields + - trim: + function: suffix + substring: '(' + fields: + - log.realCid + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - log.translatedIpTo + where: equals("log.messageId", 302018) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302018) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302018) + #......................................................................# + # FTD-6-302020, 302021 + # 302020 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302020) + # 302021 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for faddr' + - fieldName: log.tmpFaddrAndFwUser + pattern: '({{.data}})gaddr' + - fieldName: log.tmpGaddrAndFwUser + pattern: '({{.data}})laddr' + - fieldName: log.tmpLaddrAndFwUser + pattern: '({{.data}})type' + - fieldName: log.icmpType + pattern: '({{.data}})code' + - fieldName: log.icmpCode + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302021) + # Common parsing for 302020 and 302021 + # For parsing faddr and fwuser from (Begin with ip/port), or icmpSeqNum + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserFrom + pattern: '{{.greedy}}' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # icmpSeqNum variants + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpSeqNum + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: 'gaddr' + source: log.tmpFaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning icmpSeqNum + - trim: + function: suffix + substring: 'gaddr' + fields: + - log.icmpSeqNum + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 302020) || log.messageId==302021 + # For parsing gaddr and global fwuser (Begin with ip/port), or icmpType + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.globalPort + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserGlobal + pattern: '{{.greedy}}' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # icmpType variants + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: log.icmpType + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserGlobal + pattern: 'laddr' + source: log.tmpGaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning icmpType + - trim: + function: suffix + substring: 'laddr' + fields: + - log.icmpType + where: equals("log.messageId", 302020) || log.messageId==302021 + - trim: + function: suffix + substring: 'code' + fields: + - log.icmpType + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with global firewall + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.globalFirewallUser + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserGlobal + where: equals("log.messageId", 302020) || log.messageId==302021 + # For parsing laddr and fwuser to (Begin with ip/port) + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.tmpFwUserTo + pattern: '{{.greedy}}' + source: log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Continue with firewall user to + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserTo + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserTo + where: equals("log.messageId", 302020) || log.messageId==302021 + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - target.ip + - origin.ip + where: equals("log.messageId", 302020) || log.messageId==302021 + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.firewallUserTo + - log.globalFirewallUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpFwUserTo + - log.tmpFwUserGlobal + - log.tmpFaddrAndFwUser + - log.tmpGaddrAndFwUser + - log.tmpLaddrAndFwUser + where: equals("log.messageId", 302020) || log.messageId==302021 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302020) || log.messageId==302021 + #......................................................................# + # FTD-6-302022, 302024, 302026 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: log.role + pattern: '({{.data}})stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortFrom + pattern: '\({{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.tmpMappedIpPortTo + pattern: '\({{.data}}\)' + source: log.msg + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortFrom + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Parsing mapped ip,port to, from tmp fields + # With port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Without port + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}' + - fieldName: log.irrelevant + pattern: '\)' + source: log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Cleaning fields + - trim: + function: suffix + substring: 'stub' + fields: + - log.role + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Removing tmp fields + - delete: + fields: + - log.tmpMappedIpPortFrom + - log.tmpMappedIpPortTo + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302022) || log.messageId==302024 || log.messageId==302026 + #......................................................................# + # FTD-6-302023, 302025, 302027 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown stub' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'connection for' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: 'bytes' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302023) || log.messageId==302025 || log.messageId==302027 + #......................................................................# + # FTD-302033,302034 + - grok: + patterns: + - fieldName: action + pattern: '(Pre-allocated|Unable to pre-allocate) H323 GUP Connection' + - fieldName: log.irrelevant + pattern: 'for faddr' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.tmpPortFrom + pattern: '{{.data}}to laddr' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.tmpIpPortTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302033) || log.messageId==302034 + # Parsing optional ports from y to + - grok: + patterns: + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpPortFrom + where: equals("log.messageId", 302033) || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + - grok: + patterns: + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + source: log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302033) || log.messageId==302034 + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302033) || log.messageId==302034 + # Remove tmp fields + - delete: + fields: + - log.tmpPortFrom + - log.tmpIpPortTo + where: equals("log.messageId", 302033) || log.messageId==302034 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302033) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 302034) + #......................................................................# + # FTD-6-302303 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpFrom + pattern: '{{.data}}/' + - fieldName: log.mappedPortFrom + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.mappedIpTo + pattern: '{{.data}}/' + - fieldName: log.mappedPortTo + pattern: '{{.integer}}' + - fieldName: log.rest + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302303) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 302303) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302303) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + - log.mappedIpFrom + - log.mappedIpTo + where: equals("log.messageId", 302303) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302303) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302303) + #......................................................................# + # FTD-6-302304 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s{{.word}}\sstate-bypass\sconnection' + - fieldName: log.connectionId + pattern: '({{.data}})from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.duration + pattern: '{{.time}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.reason + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 302304) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Built' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 302304) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 302304) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 302304) + - trim: + function: suffix + substring: 'from' + fields: + - log.connectionId + where: equals("log.messageId", 302304) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 302304) + #......................................................................# + # FTD-6-305009 + - grok: + patterns: + - fieldName: action + pattern: 'Built (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: log.mappedIpTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305009) + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305009) + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305009) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305009) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: equals("log.messageId", 305009) + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: equals("log.messageId", 305009) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305009) + #......................................................................# + # FTD-6-305010 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown (dynamic|static) translation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: equals("log.messageId", 305010) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305010) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: equals("log.messageId", 305010) + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305010) + #......................................................................# + # FTD-6-305011 + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.srcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 305011) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305011) + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Built\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305011) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + where: equals("log.messageId", 305011) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + where: equals("log.messageId", 305011) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305011) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 305011) + #......................................................................# + # FTD-6-305012 + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)\s(TCP|UDP|ICMP)\stranslation' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: log.tmpAclSrcInterface + pattern: '{{.data}}(\s)?:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.tmpFwUserFrom + pattern: '({{.data}})?to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.time}}' + source: log.msg + where: equals("log.messageId", 305012) + # Parsing firewall user from + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.firewallUserFrom + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpFwUserFrom + where: equals("log.messageId", 305012) + # Parsing protocol + - grok: + patterns: + - fieldName: action + pattern: 'Teardown\s(dynamic|static)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 305012) + # Parsing srcInterface + # With ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.accessList + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + # Without ACL + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}:' + source: log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + # Parsing srcInterface from himself to avoid parsing issues + - grok: + patterns: + - fieldName: log.srcInterface + pattern: '{{.data}}\(' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.srcInterface + where: equals("log.messageId", 305012) + + - trim: + function: suffix + substring: ')' + fields: + - log.firewallUserFrom + - log.accessList + where: equals("log.messageId", 305012) + # Removing tmp fields + - delete: + fields: + - log.tmpFwUserFrom + - log.tmpAclSrcInterface + where: equals("log.messageId", 305012) + + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - log.srcInterface + - log.dstInterface + where: equals("log.messageId", 305012) + - trim: + function: suffix + substring: '(' + fields: + - log.srcInterface + where: equals("log.messageId", 305012) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 305012) + #......................................................................# + # FTD-3-322001 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sMAC\saddress' + - fieldName: log.localMac + pattern: '{{.data}}(\s)?,' + - fieldName: log.reason + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322001) + # Action result + - grok: + patterns: + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 322001) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.localMac + where: equals("log.messageId", 322001) + - trim: + function: suffix + substring: 'on' + fields: + - log.reason + where: equals("log.messageId", 322001) + #......................................................................# + # FTD-3-322002 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.boudSrcMac + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322002) + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: equals("log.messageId", 322002) + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 322002) + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: equals("log.messageId", 322002) + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: equals("log.messageId", 322002) + #......................................................................# + # FTD-3-322003 + - grok: + patterns: + - fieldName: action + pattern: '{{.word}}\sinspection\scheck' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'for\sarp' + - fieldName: log.httpMessageType + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'received\sfrom\shost' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}\.' + - fieldName: log.irrelevant + pattern: '{{.data}}Address' + - fieldName: log.fakeSrcMac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'IP\sAddress' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 322003) + # Protocol + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'inspection check' + source: action + where: equals("log.messageId", 322003) + # Cleaning fields + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 322003) + - trim: + function: suffix + substring: 'for' + fields: + - log.fakeSrcMac + where: equals("log.messageId", 322003) + - trim: + function: suffix + substring: '.' + fields: + - log.srcInterface + where: equals("log.messageId", 322003) + #......................................................................# + # FTD-4-402114 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402114) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402114) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402114) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + where: equals("log.messageId", 402114) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402114) + #......................................................................# + # FTD-4-402115 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\sa\spacket' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'containing' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'data instead of' + - fieldName: log.expectedProtocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402115) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402115) + #......................................................................# + # FTD-4-402116 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktDestAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktSrcAddr + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.decapsulatedPktProto + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.localProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.localProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.localProxyProto + pattern: '{{.data}}/' + - fieldName: log.localProxyPort + pattern: '{{.data}}and' + - fieldName: log.irrelevant + pattern: '{{.data}}as' + - fieldName: log.remoteProxyIpAddr + pattern: '{{.data}}/' + - fieldName: log.remoteProxyIpMask + pattern: '{{.data}}/' + - fieldName: log.remoteProxyProto + pattern: '{{.data}}/' + - fieldName: log.remoteProxyPort + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402116) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402116) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: '/' + fields: + - log.localProxyIpAddr + - log.localProxyIpMask + - log.localProxyProto + - log.remoteProxyIpAddr + - log.remoteProxyIpMask + - log.remoteProxyPort + - log.remoteProxyProto + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402116) + - trim: + function: suffix + substring: 'and' + fields: + - log.localProxyPort + where: equals("log.messageId", 402116) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402116) + #......................................................................# + # FTD-4-402117 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received a non-IPsec \((\s)?{{.word}}(\s)?\) packet' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402117) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received a non-IPsec \(' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402117) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402117) + #......................................................................# + # FTD-4-402118 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}length' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'with offset' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 402118) + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402118) + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402118) + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402118) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402118) + #......................................................................# + # FTD-4-402119, 402120 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'IPSEC\:(\s)?' + - fieldName: action + pattern: 'Received\s(an|a)\s{{.word}}\spacket' + - fieldName: log.irrelevant + pattern: '\({{.data}}=' + - fieldName: log.spi + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.seqNum + pattern: '{{.integer}}(\s)?\)' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: origin.user + pattern: '{{.data}}\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 402119) || log.messageId==402120 + # Protocol + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Received\s(an|a)' + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 402119) || log.messageId==402120 + # Cleaning fields + - trim: + function: suffix + substring: ')' + fields: + - log.seqNum + - origin.user + where: equals("log.messageId", 402119) || log.messageId==402120 + - trim: + function: suffix + substring: ',' + fields: + - log.spi + where: equals("log.messageId", 402119) || log.messageId==402120 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 402119) || log.messageId==402120 + #......................................................................# + # FTD-5-402128 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'CRYPTO\:(\s)?' + - fieldName: action + pattern: 'An attempt to allocate a large memory block' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memorySize + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: log.memoryLimit + pattern: '{{.integer}}' + source: log.msg + where: equals("log.messageId", 402128) + #......................................................................# + # FTD-4-405001 + - grok: + patterns: + - fieldName: action + pattern: 'Received ARP (request|response) collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'interface' + - fieldName: log.srcInterface + pattern: '{{.data}}with' + - fieldName: log.irrelevant + pattern: 'existing ARP entry' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.mac + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 405001) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ARP' + where: equals("log.messageId", 405001) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 405001) + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: equals("log.messageId", 405001) + - trim: + function: suffix + substring: 'with' + fields: + - log.srcInterface + where: equals("log.messageId", 405001) + #......................................................................# + # FTD-4-405002 + - grok: + patterns: + - fieldName: action + pattern: 'Received mac mismatch collision' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.mac + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 405002) + # Cleaning fields + - trim: + function: suffix + substring: 'for' + fields: + - origin.mac + where: equals("log.messageId", 405002) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: equals("log.messageId", 405002) + #......................................................................# + # FTD-4-406001 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command low port(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 406001) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: equals("log.messageId", 406001) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: equals("log.messageId", 406001) + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + where: equals("log.messageId", 406001) + #......................................................................# + # FTD-4-406002 + - grok: + patterns: + - fieldName: action + pattern: 'FTP port command different address(\s)?\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: log.connectionIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '(\s)?\)' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 406002) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'FTP' + where: equals("log.messageId", 406002) + # Cleaning fields + - trim: + function: suffix + substring: ':' + fields: + - action + where: equals("log.messageId", 406002) + #......................................................................# + # FTD-4-407002 + - grok: + patterns: + - fieldName: action + pattern: 'Embryonic limit {{.data}} for through connections exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}\.' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.globalIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?' + - fieldName: log.irrelevant + pattern: '\(' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '(\s)?\)(\s)?/' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'on interface' + - fieldName: log.srcInterface + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 407002) + # Connection number and connection limit + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Embryonic limit' + - fieldName: log.numCons + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '/' + - fieldName: log.limit + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 407002) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 407002) + #......................................................................# + # FTD-6-605004 + - grok: + patterns: + - fieldName: action + pattern: 'Login\s{{.word}}' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.service + pattern: '{{.data}}for' + - fieldName: log.irrelevant + pattern: 'user' + - fieldName: origin.user + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 605004) + # Action result + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Login' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + source: action + where: equals("log.messageId", 605004) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 605004) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: 'for' + fields: + - log.service + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: equals("log.messageId", 605004) + - trim: + function: prefix + substring: '"' + fields: + - origin.user + where: equals("log.messageId", 605004) + - trim: + function: suffix + substring: '"' + fields: + - origin.user + where: equals("log.messageId", 605004) + #......................................................................# + # FTD-2-106018 + - grok: + patterns: + - fieldName: action + pattern: 'ICMP packet' + - fieldName: log.irrelevant + pattern: 'type' + - fieldName: log.icmpType + pattern: '{{.data}}\s' + - fieldName: log.ciscoResult + pattern: 'denied' + - fieldName: log.irrelevant + pattern: 'by' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'list' + - fieldName: log.accessList + pattern: '{{.data}}src' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'dest' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106018) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'ICMP' + where: equals("log.messageId", 106018) + # Cleaning fields + - trim: + function: suffix + substring: 'src' + fields: + - log.accessList + where: equals("log.messageId", 106018) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106018) + #......................................................................# + # FTD-2-106020 + - grok: + patterns: + - fieldName: action + pattern: 'Deny IP teardrop fragment' + - fieldName: log.irrelevant + pattern: '\((\s)?size(\s)?=' + - fieldName: origin.bytesSent + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: ',(\s)?offset(\s)?=' + - fieldName: log.fragmentOffset + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '\)(\s)?from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: target.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 106020) + # Adding log.ciscoResult + - add: + function: 'string' + params: + key: log.ciscoResult + value: 'Denied' + where: equals("log.messageId", 106020) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 106020) + #......................................................................# + # FTD-6-611301 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with no split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611301) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611301) + #......................................................................# + # FTD-6-611303 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT configured for Client Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}ress\:' + - fieldName: log.mappedIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611303) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611303) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 611303) + #......................................................................# + # FTD-6-611304 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'NAT exemption configured for Network Extension Mode with split tunneling' + - fieldName: log.irrelevant + pattern: '{{.data}}works\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskFrom + pattern: '{{.data}}\s' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: log.netmaskTo + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611304) + # Adding protocol + - add: + function: 'string' + params: + key: protocol + value: 'NAT' + where: equals("log.messageId", 611304) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 611304) + #......................................................................# + # FTD-6-611307 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Head end\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611307) + # Adding action and log.ciscoResult + - add: + function: 'string' + params: + key: action + value: 'The VPN client is connected to the specified headend' + where: equals("log.messageId", 611307) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611307) + #......................................................................# + # FTD-6-611309 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'Disconnecting from head end and uninstalling previously downloaded policy' + - fieldName: log.irrelevant + pattern: '{{.data}}End\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611309) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611309) + #......................................................................# + # FTD-6-611310,611311 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'XAUTH' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '\:(\s)?Peer(\s)?\:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611310) || log.messageId==611311 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611310) + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 611311) + #......................................................................# + # FTD-6-611314 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Load Balancing Cluster with Virtual IP\:(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}server' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611314) + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Load Balancing Cluster redirected the Secure Firewall' + where: equals("log.messageId", 611314) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611314) + #......................................................................# + # FTD-6-611315 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:(\s)?Disconnecting from Load Balancing Cluster member(\:)?(\s)?' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611315) + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Disconnecting from Load Balancing Cluster' + where: equals("log.messageId", 611315) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 611315) + #......................................................................# + # FTD-6-611318 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient\:' + - fieldName: action + pattern: 'User Authentication Enabled' + - fieldName: log.irrelevant + pattern: '{{.data}}IP(\s)?\:' + - fieldName: log.authServerIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}Port(\s)?\:' + - fieldName: log.authServerPort + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}out(\s)?\:' + - fieldName: log.timeOut + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 611318) + #......................................................................# + # FTD-3-710003 + - grok: + patterns: + - fieldName: action + pattern: '(TCP|UDP) access denied by ACL' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'to' + - fieldName: log.dstInterface + pattern: '{{.data}}(\s)?:' + - fieldName: target.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\s)?/' + - fieldName: target.port + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 710003) + # Protocol and log.ciscoResult + - grok: + patterns: + - fieldName: protocol + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.word}}' + - fieldName: log.ciscoResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 710003) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - origin.ip + - target.ip + where: equals("log.messageId", 710003) + - trim: + function: suffix + substring: ':' + fields: + - log.dstInterface + where: equals("log.messageId", 710003) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 710003) + #......................................................................# + # FTD-5-713252,713253 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'Username(\s)?=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'IP(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.data}}available(\.)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 713252) || equals("log.messageId", 713253) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 713252) + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 713253) + #......................................................................# + # FTD-6-716001,716002,716003 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716001) || log.messageId==716002 || log.messageId==716003 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716001) || log.messageId==716002 + #......................................................................# + # FTD-6-716004,716005,716006,716007,716009 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716004) || log.messageId==716005 || log.messageId==716006 || log.messageId==716007 || log.messageId==716009 + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 716004) || log.messageId==716007 || log.messageId==716009 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716006) + #......................................................................# + # FTD-6-716038 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Group(\s)?' + - fieldName: origin.group + pattern: '{{.data}}User' + - fieldName: origin.user + pattern: '{{.data}}IP' + - fieldName: origin.ip + pattern: '(\<)?({{.ipv4}}|{{.ipv6}}|{{.hostname}})(\>)?' + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716038) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 716038) + # Cleaning fields + - trim: + function: suffix + substring: 'User' + fields: + - origin.group + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: 'IP' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: prefix + substring: '<' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: '>' + fields: + - origin.group + - origin.user + - origin.ip + where: equals("log.messageId", 716038) + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 716038) + - trim: + function: suffix + substring: ',' + fields: + - action + where: equals("log.messageId", 716038) + #......................................................................# + # FTD-6-716039 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: 'group(\s)?=' + - fieldName: origin.group + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}},' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 716039) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 716039) + # Cleaning fields + - trim: + function: suffix + substring: ',' + fields: + - action + - origin.user + where: equals("log.messageId", 716039) + - trim: + function: suffix + substring: 'user' + fields: + - origin.group + where: equals("log.messageId", 716039) + #......................................................................# + # FTD-6-719017,719019,719020,719021,719022,719023 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: action + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + # Adding log.ciscoResult and modifying some actions + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 719019) || log.messageId==719023 + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 719020) || log.messageId==719022 + - add: + function: 'string' + params: + key: action + value: 'WebVPN user is not checked against ACL' + where: equals("log.messageId", 719021) + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has been authenticated' + where: equals("log.messageId", 719022) + - add: + function: 'string' + params: + key: action + value: 'WebVPN user has not been authenticated' + where: equals("log.messageId", 719023) + # Cleaning fields + - trim: + function: prefix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719017) || (log.messageId>=719019 && log.messageId<=719023) + #......................................................................# + # FTD-6-719018 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'WebVPN user(\:)?' + - fieldName: origin.user + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'ACL ID' + - fieldName: log.accessList + pattern: '{{.data}}not' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719018) + # Cleaning fields + - trim: + function: suffix + substring: '''' + fields: + - origin.user + where: equals("log.messageId", 719018) + - trim: + function: suffix + substring: 'not' + fields: + - log.accessList + where: equals("log.messageId", 719018) + #......................................................................# + # FTD-6-719024 + - grok: + patterns: + - fieldName: action + pattern: 'Email Proxy piggyback auth fail' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.sessionPointer + pattern: '{{.data}}user' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.user + pattern: '{{.data}}addr' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 719024) + # Cleaning fields + - trim: + function: suffix + substring: 'user' + fields: + - log.sessionPointer + where: equals("log.messageId", 719024) + - trim: + function: suffix + substring: 'addr' + fields: + - origin.user + where: equals("log.messageId", 719024) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: equals("log.messageId", 719024) + #......................................................................# + # FTD-7-609002 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Teardown local-host' + - fieldName: log.zoneName + pattern: '{{.data}}/' + - fieldName: log.irrelevant + pattern: '{{.data}}\:' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: 'duration' + - fieldName: log.duration + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 609002) + # Cleaning fields + - trim: + function: suffix + substring: '/' + fields: + - log.zoneName + where: equals("log.messageId", 609002) + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 609002) + #......................................................................# + # FTD-6-611305 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'VPNClient(\s)?\:' + - fieldName: action + pattern: 'DHCP Policy installed' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.primaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}DNS(\s)?\:' + - fieldName: log.secondaryDns + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.primaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.data}}WINS(\s)?\:' + - fieldName: log.secondaryWins + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + source: log.msg + where: equals("log.messageId", 611305) + #......................................................................# + # FTD-4-733100 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}exceeded' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733100) + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: equals("log.messageId", 733100) + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.data}}drop' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 733100) + # Cleaning fields + - trim: + function: suffix + substring: 'drop' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + - trim: + function: suffix + substring: ']' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + - trim: + function: prefix + substring: '[' + fields: + - log.dropSourceObject + where: equals("log.messageId", 733100) + #......................................................................# + # FTD-4-733101 + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}(targeted|attacking)' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.burstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxBurstRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.avgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.maxAvgRateValue + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.data}}is' + - fieldName: log.cumulativeTotalCount + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733101) + # Cleaning cumulative total count + - grok: + patterns: + - fieldName: log.cumulativeTotalCount + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.cumulativeTotalCount + where: equals("log.messageId", 733101) + # Parsing drop source object + - grok: + patterns: + - fieldName: log.dropSourceObject + pattern: '{{.word}}' + - fieldName: log.tmpIp + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: action + where: equals("log.messageId", 733101) + # Renaming from or to ip, according to -> if (targeted|attacking) + - rename: + from: + - log.tmpIp + to: origin.ip + where: equals("log.messageId", 733101) && contains("action", "attacking") + - rename: + from: + - log.tmpIp + to: target.ip + where: equals("log.messageId", 733101) && contains("action", "targeted") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.messageId", 733101) + #......................................................................# + # FTD-4-733102, 733103 + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}host' + - fieldName: origin.ip + pattern: '({{.ipv4}}|{{.ipv6}}|{{.hostname}})' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: equals("log.messageId", 733102) || log.messageId==733103 + # Adding action + - add: + function: 'string' + params: + key: action + value: 'Threat-detection add host to shun list' + where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "add") + - add: + function: 'string' + params: + key: action + value: 'Threat-detection removes host to shun list' + where: (equals("log.messageId", 733102) || log.messageId==733103) && contains("log.msg", "removes") + #......................................................................# + # Decoding severity + - add: + function: 'string' + params: + key: severity + value: 'high' + where: log.severity=="1" || log.severity=="2" || log.severity=="3" + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: log.severity=="4" + - add: + function: 'string' + params: + key: severity + value: 'low' + where: log.severity=="5" || log.severity=="6" || log.severity=="7" + #......................................................................# + # Adding common geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + # Adding log.mappedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpFrom + destination: log.mappedIpFrom.geolocation + where: exists("log.mappedIpFrom") + # Adding log.mappedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIpTo + destination: log.mappedIpTo.geolocation + where: exists("log.mappedIpTo") + # Adding log.translatedIpFrom geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpFrom + destination: log.translatedIpFrom.geolocation + where: exists("log.translatedIpFrom") + # Adding log.translatedIpTo geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.translatedIpTo + destination: log.translatedIpTo.geolocation + where: exists("log.translatedIpTo") + # Adding log.globalIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.globalIp + destination: log.globalIp.geolocation + where: exists("log.globalIp") + # Adding log.remoteIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteIp + destination: log.remoteIp.geolocation + where: exists("log.remoteIp") + # Adding log.mappedIp geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.mappedIp + destination: log.mappedIp.geolocation + where: exists("log.mappedIp") + # Adding log.decapsulatedPktDestAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktDestAddr + destination: log.decapsulatedPktDestAddr.geolocation + where: exists("log.decapsulatedPktDestAddr") + # Adding log.decapsulatedPktSrcAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.decapsulatedPktSrcAddr + destination: log.decapsulatedPktSrcAddr.geolocation + where: exists("log.decapsulatedPktSrcAddr") + # Adding log.localProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localProxyIpAddr + destination: log.localProxyIpAddr.geolocation + where: exists("log.localProxyIpAddr") + # Adding log.remoteProxyIpAddr geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.remoteProxyIpAddr + destination: log.remoteProxyIpAddr.geolocation + where: exists("log.remoteProxyIpAddr") + # Adding log.primaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryDns + destination: log.primaryDns.geolocation + where: exists("log.primaryDns") + # Adding log.secondaryDns geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryDns + destination: log.secondaryDns.geolocation + where: exists("log.secondaryDns") + # Adding log.primaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.primaryWins + destination: log.primaryWins.geolocation + where: exists("log.primaryWins") + # Adding log.secondaryWins geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.secondaryWins + destination: log.secondaryWins.geolocation + where: exists("log.secondaryWins") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + # Removing unused fields + - delete: + fields: + - log.firePowerHeader + - log.ciscoSeparator + - log.irrelevant + - log.syslogPri + - log.rest + $$ + WHERE id = 303 ; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml b/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml new file mode 100644 index 000000000..6f00ab3bd --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210004_update_filter_cisco_meraki.xml @@ -0,0 +1,1569 @@ + + + + + + + Syslog +# +# 1. Parsing the message field +pipeline: + - dataTypes: + - firewall-meraki + steps: + # Header fields + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(\<{{.integer}}\>)' + - fieldName: log.ciscoTime + pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.serverIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + - grok: + patterns: + - fieldName: log.ciscoTime + pattern: '{{.monthName}}\s{{.monthDay}}\s{{.year}}\s{{.time}}' + - fieldName: log.serverIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}(\s)?\:' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: raw + # Adding control log.controlFlag field (Used to know if the message don't contains the header INT.INT mx_type mx_group) + - add: + function: 'string' + params: + key: log.controlFlag + value: 'Init' + # Begin message parsing + # First extract the generic message, then parse it + - grok: + patterns: + - fieldName: log.controlFlag + pattern: '{{.data}}(\s)(events|flows|urls|ids-alerts|security_event)' + - fieldName: log.genericEvent + pattern: '{{.greedy}}' + source: log.msg + # Parsing variant INT.INT mx_type mx_group + # Parsing from controlFlag (Format: Date? IP PORT INT.INT mx_type mx_group) + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.data}}{{.time}}' + - fieldName: log.localIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.local.port + pattern: '{{.integer}}' + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiType + pattern: '{{.data}}\s' + - fieldName: log.merakiGroup + pattern: '{{.greedy}}' + source: log.controlFlag + where: '!equals("log.controlFlag", "Init")' + - grok: + patterns: + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiType + pattern: '{{.data}}\s' + - fieldName: log.merakiGroup + pattern: '{{.greedy}}' + source: log.controlFlag + where: '!equals("log.controlFlag", "Init")' + # ........................................ + # event vpn connectivity change + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'vpn_type(\s)?=' + - fieldName: log.vpnType + pattern: '''{{.data}}''' + - fieldName: log.irrelevant + pattern: 'peer_contact(\s)?=' + - fieldName: origin.ip + pattern: '''{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}''' + - fieldName: log.irrelevant + pattern: 'peer_ident(\s)?=' + - fieldName: log.peerIdent + pattern: '''{{.data}}''' + - fieldName: log.irrelevant + pattern: 'connectivity(\s)?=' + - fieldName: log.connectivity + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equals("log.connectivity", "true") + # ........................................ + # event uplink connectivity change + - rename: + from: + - log.genericEvent + to: action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "failover to")' + # ........................................ + # event uplink connectivity change + # Event: urls, HTTP GET requests in MR Access Points + - rename: + from: + - log.genericEvent + to: action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "Cellular connection")' + - grok: + patterns: + - fieldName: action + pattern: 'Cellular connection' + - fieldName: log.connectionState + pattern: '(up|Up|down|Down)' + - fieldName: log.msgEventTime + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.merakiTypeIn + pattern: '{{.data}}\s' + - fieldName: log.merakiGroupIn + pattern: '(events|flows|urls|ids-alerts|security_event)' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.data}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'request(\s)?\:' + - fieldName: log.method + pattern: '{{.word}}' + - fieldName: target.url + pattern: '{{.greedy}}' + source: action + where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")' + - grok: + patterns: + - fieldName: action + pattern: 'Cellular connection' + - fieldName: log.connectionState + pattern: '(up|Up|down|Down)' + source: action + where: '!equals("log.controlFlag", "Init") && contains("action", "Cellular connection")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: equalsIgnoreCase("log.connectionState", "up") + # ........................................ + # Event: event, dhcp no offers + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}for\smac' + - fieldName: origin.mac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'host(\s)?=' + - fieldName: origin.ip + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")' + - trim: + function: suffix + substring: 'for mac' + fields: + - action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp no offers")' + # ........................................ + # Event: event, dhcp lease + - grok: + patterns: + - fieldName: action + pattern: '{{.data}}of\sip' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'from server mac' + - fieldName: log.serverMac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'for client mac' + - fieldName: origin.mac + pattern: '{{.data}}\s' + - fieldName: log.irrelevant + pattern: 'from router' + - fieldName: log.routerIp + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'on subnet' + - fieldName: log.subnet + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'with dns' + - fieldName: log.dns + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: ',' + - fieldName: log.dns1 + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")' + - trim: + function: suffix + substring: 'of ip' + fields: + - action + where: '!equals("log.controlFlag", "Init") && contains("log.genericEvent", "dhcp lease")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: contains("log.genericEvent", "dhcp lease") + # ........................................ + # Event: event, HTTP GET requests in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.data}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'request(\s)?\:' + - fieldName: log.method + pattern: '{{.word}}' + - fieldName: target.url + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="urls"' + # ........................................ + # Event: flows, IP session initiated in Meraki MX Security Appliance + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'sport(\s)?=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'pattern(\s)?\:' + - fieldName: log.pattern + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"' + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'sport(\s)?=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'pattern(\s)?\:' + - fieldName: log.pattern + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "0") || startsWith("log.pattern", "allow") || startsWith("log.pattern", "Allow"))' + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "src") && log.merakiGroup=="flows" && (startsWith("log.pattern", "deny") || startsWith("log.pattern", "Deny"))' + # ........................................ + # Event: ids-alerts, ids signature matched in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'signature(\s)?=' + - fieldName: log.signature + pattern: '{{.data}}priority' + - fieldName: log.irrelevant + pattern: '{{.data}}=' + - fieldName: log.priority + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'timestamp(\s)?=' + - fieldName: log.msgEventTimeIn + pattern: '{{.integer}}\.{{.integer}}' + - fieldName: log.irrelevant + pattern: 'direction(\s)?=' + - fieldName: log.direction + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'protocol(\s)?=' + - fieldName: protocol + pattern: '{{.data}}(\s)' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.data}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"' + - trim: + function: suffix + substring: 'priority' + fields: + - log.signature + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "signature") && log.merakiGroup=="ids-alerts"' + # ........................................ + # Event: event IPsec-SA request queued due to no phase 1 found, phase2 negotiation failed, initiate new phase 1 negotiation, + # ISAKMP-SA established, initiate new phase 2 negotiation, IPsec-SA established, ISAKMP-SA established, and ISAKMP-SA deleted + # in Meraki MX Security Appliance + # This type of message mx_type=labs_appliance mx_group=events + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)(deleted|established)' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: 'spi(\s)?\:' + - fieldName: log.spi + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)request(\s)for' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Third variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)failed' + - fieldName: log.irrelevant + pattern: '{{.data}}ESP' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Fourth variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)negotiation(\s)?\:' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '\<=\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Fifth variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Site-to-site VPN(\s)?\:(\s)?{{.greedy}}(\s)established\:(\s)?ESP/Tunnel' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: origin.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: '-\>' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}' + - fieldName: target.port + pattern: '\[(\s)?{{.integer}}(\s)?\]' + - fieldName: log.irrelevant + pattern: 'spi(\s)?=' + - fieldName: log.spi + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + - trim: + function: prefix + substring: '[' + fields: + - origin.port + - target.port + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: ']' + fields: + - origin.port + - target.port + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Site") && log.merakiGroup=="events" && (contains("log.genericEvent", "queued due to no phase 1") || contains("log.genericEvent", "queued due to no phase1") || || contains("log.genericEvent", "established"))' + # ........................................ + # Event: event spanning-tree guard state change in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Port' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'received an' + - fieldName: protocol + pattern: '{{.data}}BPDU' + - fieldName: log.irrelevant + pattern: 'from' + - fieldName: origin.mac + pattern: '{{.data}}so' + - fieldName: log.irrelevant + pattern: 'the port was' + - fieldName: actionResult + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'BPDU' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'so' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events"' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Port") && log.merakiGroup=="events" && contains("log.genericEvent", "blocked")' + # ........................................ + # Event: event blocked DHCP server response in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'Blocked' + - fieldName: protocol + pattern: '{{.data}}server' + - fieldName: log.irrelevant + pattern: 'response from' + - fieldName: origin.mac + pattern: '{{.data}}on' + - fieldName: log.irrelevant + pattern: 'VLAN' + - fieldName: log.vlan + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'server' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + - trim: + function: suffix + substring: 'on' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "Blocked") && log.merakiGroup=="events"' + # ........................................ + # Event: event 802.1X (all events) in Meraki MS Switches + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}port' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.port + pattern: '{{.data}}identity' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.identity + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: suffix + substring: 'port' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: prefix + substring: '''' + fields: + - origin.port + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + - trim: + function: suffix + substring: '''' + fields: + - origin.port + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "identity") && contains("log.genericEvent", "port")' + # ........................................ + # Event: event 802.11 disassociation in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}reason' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.reason + pattern: '{{.data}}instigator' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.instigator + pattern: '{{.data}}duration' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.duration + pattern: '{{.data}}auth_neg_dur' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.authNegDur + pattern: '{{.data}}last_auth_ago' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.lastAuthAgo + pattern: '{{.data}}is_wpa' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.isWpa + pattern: '{{.data}}full_conn' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fullConn + pattern: '{{.data}}ip_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.ipResp + pattern: '{{.data}}ip_src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.data}}arp_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.arpResp + pattern: '{{.data}}arp_src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.arpSrc + pattern: '{{.data}}dns_server' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsServer + pattern: '{{.data}}dns_req_rtt' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsReqRtt + pattern: '{{.data}}dns_resp' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dnsResp + pattern: '{{.data}}aid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.aid + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'radio' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'channel' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'reason' + fields: + - log.channel + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'instigator' + fields: + - log.reason + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'duration' + fields: + - log.instigator + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'auth_neg_dur' + fields: + - log.duration + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'last_auth_ago' + fields: + - log.authNegDur + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'is_wpa' + fields: + - log.lastAuthAgo + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'full_conn' + fields: + - log.isWpa + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'ip_resp' + fields: + - log.fullConn + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'ip_src' + fields: + - log.ipResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'arp_resp' + fields: + - origin.ip + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'arp_src' + fields: + - log.arpResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_server' + fields: + - log.arpSrc + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_req_rtt' + fields: + - log.dnsServer + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'dns_resp' + fields: + - log.dnsReqRtt + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: 'aid' + fields: + - log.dnsResp + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: prefix + substring: '''' + fields: + - log.radio + - log.vap + - log.channel + - log.reason + - log.instigator + - log.duration + - log.authNegDur + - log.lastAuthAgo + - log.isWpa + - log.fullConn + - log.ipResp + - origin.ip + - log.arpResp + - log.arpSrc + - log.dnsServer + - log.dnsReqRtt + - log.dnsResp + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + - trim: + function: suffix + substring: '''' + fields: + - log.radio + - log.vap + - log.channel + - log.reason + - log.instigator + - log.duration + - log.authNegDur + - log.lastAuthAgo + - log.isWpa + - log.fullConn + - log.ipResp + - origin.ip + - log.arpResp + - log.arpSrc + - log.dnsServer + - log.dnsReqRtt + - log.dnsResp + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "channel") && contains("log.genericEvent", "auth_neg_dur") && contains("log.genericEvent", "last_auth_ago")' + # ........................................ + # Event: event 802.1X (all events) in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}identity' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.identity + pattern: '{{.data}}aid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.aid + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'radio' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'identity' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: 'aid' + fields: + - log.identity + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: prefix + substring: '''' + fields: + - log.radio + - log.vap + - log.identity + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + - trim: + function: suffix + substring: '''' + fields: + - log.radio + - log.vap + - log.identity + - log.aid + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "radio") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "identity") && contains("log.genericEvent", "aid")' + # ........................................ + # Event: event splash authentication in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}ip' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.data}}duration' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.duration + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}download' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.download + pattern: '{{.data}}upload' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.upload + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'ip' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'duration' + fields: + - origin.ip + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'vap' + fields: + - log.duration + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'download' + fields: + - log.vap + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: 'upload' + fields: + - log.download + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - log.vap + - log.duration + - log.download + - log.upload + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + - trim: + function: suffix + substring: '''' + fields: + - origin.ip + - log.vap + - log.duration + - log.download + - log.upload + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "ip") && contains("log.genericEvent", "vap") && contains("log.genericEvent", "duration") && contains("log.genericEvent", "download") && contains("log.genericEvent", "upload")' + # ........................................ + # Event: event wireless packet flood detected in Meraki MR Access Points + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'type(\s)?=' + - fieldName: action + pattern: '{{.data}}(\s)packet' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.packet + pattern: '{{.data}}device' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}radio' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.radio + pattern: '{{.data}}state' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.state + pattern: '{{.data}}alarm_id' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.alarmId + pattern: '{{.data}}dos_count' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.dosCount + pattern: '{{.data}}inter_arrival' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.interArrival + pattern: '{{.greedy}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'packet' + fields: + - action + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'device' + fields: + - log.packet + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'radio' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'state' + fields: + - log.radio + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'alarm_id' + fields: + - log.state + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'dos_count' + fields: + - log.alarmId + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: 'inter_arrival' + fields: + - log.dosCount + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - origin.mac + - log.radio + - log.packet + - log.dosCount + - log.alarmId + - log.state + - log.interArrival + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + - trim: + function: suffix + substring: '''' + fields: + - origin.ip + - origin.mac + - log.radio + - log.packet + - log.dosCount + - log.alarmId + - log.state + - log.interArrival + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "type") && log.merakiGroup=="events" && contains("log.genericEvent", "packet") && contains("log.genericEvent", "device") && contains("log.genericEvent", "state") && contains("log.genericEvent", "alarm_id") && contains("log.genericEvent", "dos_count")' + # ........................................ + # Event: flows, flow allowed by Layer 3 firewall in Meraki MR Access Points + - grok: + patterns: + - fieldName: actionResult + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: 'src(\s)?=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}' + - fieldName: log.irrelevant + pattern: 'mac(\s)?=' + - fieldName: origin.mac + pattern: '{{.data}}protocol' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: protocol + pattern: '{{.data}}sport' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dport(\s)?=' + - fieldName: target.port + pattern: '{{.integer}}' + source: log.genericEvent + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + - trim: + function: suffix + substring: 'sport' + fields: + - protocol + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + - trim: + function: suffix + substring: 'protocol' + fields: + - origin.mac + where: '!equals("log.controlFlag", "Init") && (startsWith("log.genericEvent", "allow") || startsWith("log.genericEvent", "deny")) && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "allow") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'denied' + where: '!equals("log.controlFlag", "Init") && startsWith("log.genericEvent", "deny") && log.merakiGroup=="flows" && contains("log.genericEvent", "src") && contains("log.genericEvent", "dst") && contains("log.genericEvent", "sport") && contains("log.genericEvent", "dport") && contains("log.genericEvent", "mac")' + # ........................................ + # Event: event rogue SSID detected and SSID spoofing detected in Meraki MR Access Points + # First variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'airmarshal_events(\s)type(\s)?=' + - fieldName: action + pattern: '{{.data}}ssid(\s)?=' + - fieldName: log.ssid + pattern: '{{.data}}bssid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.bssid + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}dst' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: target.mac + pattern: '{{.data}}wired_mac' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.wiredMac + pattern: '{{.data}}vlan_id' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vlanId + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}rssi' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.rssi + pattern: '{{.data}}fc_type' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcType + pattern: '{{.data}}fc_subtype' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcSubType + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # Second variant + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'airmarshal_events(\s)type(\s)?=' + - fieldName: action + pattern: '{{.data}}ssid(\s)?=' + - fieldName: log.ssid + pattern: '{{.data}}vap' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.vap + pattern: '{{.data}}bssid' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.bssid + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}dst' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: target.mac + pattern: '{{.data}}channel' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.channel + pattern: '{{.data}}rssi' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.rssi + pattern: '{{.data}}fc_type' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcType + pattern: '{{.data}}fc_subtype' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.fcSubType + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: '=' + fields: + - action + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'ssid' + fields: + - action + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'bssid' + fields: + - log.ssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'vap' + fields: + - log.ssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'bssid' + fields: + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'src' + fields: + - log.bssid + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'dst' + fields: + - origin.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'wired_mac' + fields: + - target.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'channel' + fields: + - target.mac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'vlan_id' + fields: + - log.wiredMac + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'channel' + fields: + - log.vlanId + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'rssi' + fields: + - log.channel + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'fc_type' + fields: + - log.rssi + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: 'fc_subtype' + fields: + - log.fcType + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: prefix + substring: '''' + fields: + - action + - log.ssid + - log.bssid + - origin.mac + - target.mac + - log.wiredMac + - log.vlanId + - log.channel + - log.rssi + - log.fcType + - log.fcSubType + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + - trim: + function: suffix + substring: '''' + fields: + - action + - log.ssid + - log.bssid + - origin.mac + - target.mac + - log.wiredMac + - log.vlanId + - log.channel + - log.rssi + - log.fcType + - log.fcSubType + - log.vap + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: startsWith("log.genericEvent", "airmarshal_events") && contains("log.genericEvent", "type") && contains("log.genericEvent", "ssid") && contains("log.genericEvent", "bssid") + # ........................................ + # Event: security_event ids_alerted, ids signature matched in Meraki MX Security Appliance + - grok: + patterns: + - fieldName: log.irrelevant + pattern: 'signature(\s)?=' + - fieldName: log.signature + pattern: '{{.data}}priority' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.priority + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'timestamp(\s)?=' + - fieldName: log.msgEventTime + pattern: '{{.data}}dhost' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.mac + pattern: '{{.data}}direction' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: log.direction + pattern: '{{.data}}protocol' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: protocol + pattern: '{{.data}}src' + - fieldName: log.irrelevant + pattern: '=' + - fieldName: origin.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: 'dst(\s)?=' + - fieldName: target.ip + pattern: '{{.ipv4}}|{{.ipv6}}|{{.hostname}}\:' + - fieldName: target.port + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.msg + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'priority' + fields: + - log.signature + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'dhost' + fields: + - log.msgEventTime + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'direction' + fields: + - origin.mac + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'protocol' + fields: + - log.direction + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + - trim: + function: suffix + substring: 'src' + fields: + - protocol + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + # Adding action result + - add: + function: 'string' + params: + key: actionResult + value: 'accepted' + where: startsWith("log.genericEvent", "signature") && contains("log.genericEvent", "priority") && contains("log.genericEvent", "timestamp") && contains("log.genericEvent", "direction") && contains("log.genericEvent", "dhost") + # ............................................................................ + # Cleaning common fields + - trim: + function: suffix + substring: ':' + fields: + - log.localIp + - origin.ip + - target.ip + - log.serverIp + - trim: + function: prefix + substring: '''' + fields: + - origin.ip + - log.peerIdent + - log.connectivity + - log.vpnType + - trim: + function: suffix + substring: '''' + fields: + - origin.port + - log.peerIdent + - log.connectivity + - log.vpnType + #......................................................................# + # Adding geolocation + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.serverIp + destination: log.serverIp.geolocation + where: exists("log.serverIp") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.localIp + destination: log.localIp.geolocation + where: exists("log.localIp") + - dynamic: + plugin: com.utmstack.geolocation + params: + source: log.ipResp + destination: log.ipResp.geolocation + where: exists("log.ipResp") + #......................................................................# + # Common field conversions + - cast: + fields: + - origin.port + - target.port + to: int + #......................................................................# + # Removing unused fields + - delete: + fields: + - log.controlFlag + - log.irrelevant + - log.genericEvent + $$ + WHERE id = 302 ; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml b/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml new file mode 100644 index 000000000..94646afdd --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210005_update_filter_cisco_deceptive_bytes.xml @@ -0,0 +1,510 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.notDefined + pattern: '{{.integer}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:' + - fieldName: log.userWithTrash + pattern: '{{.data}}CEF' + - fieldName: log.1trash + pattern: '\:{{.integer}}' + - fieldName: log.messageWithTrash + pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:' + - fieldName: log.userWithTrash + pattern: '{{.data}}CEF' + - fieldName: log.1trash + pattern: '\:{{.integer}}' + - fieldName: log.messageWithTrash + pattern: '{{.data}}{{.word}}\={{.data}}{{.space}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.user + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.userWithTrash + + - grok: + patterns: + - fieldName: log.message + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.restMessageToKv + pattern: '{{.greedy}}' + source: log.messageWithTrash + + # Parsing the common fields + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '\[{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.eventTime + pattern: '{{.monthDay}}-{{.monthNumber}}{{.space}}{{.hour}}\:{{.minute}}\:{{.seconds}}' + - fieldName: log.restMessage + pattern: '{{.greedy}}' + source: raw + + # Parse the restMessage field from the rest of the common fields + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,\-' + - fieldName: log.eventType + pattern: '\,{{.integer}}' + - fieldName: log.eventSource + pattern: '\,{{.word}}' + - fieldName: log.processName + pattern: '\,{{.integer}}' + - fieldName: log.processPath + pattern: '\,{{.word}}' + - fieldName: log.platform + pattern: '\,{{.data}}\,' + - fieldName: origin.path + pattern: '{{.greedy}}\,' + - fieldName: command + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,{{.data}}\,' + - fieldName: log.eventType + pattern: '{{.integer}}' + - fieldName: log.eventSource + pattern: '\,\-' + - fieldName: log.processName + pattern: '\,{{.word}}\.{{.word}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.processId + pattern: '\,{{.integer}}' + - fieldName: log.trheadId + pattern: '\,{{.data}}\,' + - fieldName: log.eventType + pattern: '{{.integer}}' + - fieldName: log.eventSource + pattern: '\,\-\,' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.errorCode + pattern: '{{.integer}}\]' + - fieldName: log.restDataMessage + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.trheadId + pattern: '{{.integer}}\,' + - fieldName: log.eventSource + pattern: '{{.integer}}\s' + - fieldName: log.component + pattern: '{{.word}}\,' + - fieldName: log.errorCode + pattern: '{{.integer}}\]\s' + - fieldName: origin.path + pattern: '(?:[A-Z]:\\(?:[^\\\n]+\\)*[^\\\n]*|\/(?:[^\/\n]+\/)*[^\/\n]*)' + source: log.restMessage + where: contains("log.severityLabelCharacter", "V") + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.processId + pattern: '{{.integer}}\,' + - fieldName: log.trheadId + pattern: '{{.integer}}\s' + - fieldName: log.methodName + pattern: '\:\:{{.data}}\,' + - fieldName: log.returnCode + pattern: '{{.integer}}\]\s' + - fieldName: log.detailedMessage + pattern: '\({{.data}}\)' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '{{.word}}\s' + - fieldName: log.processId + pattern: '{{.integer}}\,' + - fieldName: log.trheadId + pattern: '{{.integer}}\s' + - fieldName: log.methodName + pattern: '{{.data}}\:\:{{.data}}\,' + - fieldName: log.returnCode + pattern: '{{.integer}}\]\s' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restMessage + + - grok: + patterns: + - fieldName: log.severityLabelCharacter + pattern: '\[{{.data}}\]' + - fieldName: log.processId + pattern: '\[{{.integer}}\/' + - fieldName: log.trheadId + pattern: '{{.data}}\]:?\s' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restMessage + + # Using kv for the rest of the trash in the message + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restMessageToKv + + # Using grok to analyze the rest of the data + - grok: + patterns: + - fieldName: log.productVendor + pattern: '\|{{.data}}\|' + - fieldName: log.product + pattern: '{{.data}}\|' + - fieldName: log.productVersion + pattern: '{{.data}}\|' + - fieldName: log.signatureID + pattern: '{{.data}}\|' + - fieldName: log.eventType + pattern: '{{.data}}\|' + - fieldName: log.severity + pattern: '{{.data}}\|' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.pidStatusToKv + pattern: '\[{{.data}}\]' + - fieldName: log.message + pattern: '{{.greedy}}' + source: log.restDataMessage + + - grok: + patterns: + - fieldName: log.0trash + pattern: '{{.data}}PID=' + - fieldName: log.pid + pattern: '{{.integer}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: raw + where: contains("log.severityLabelCharacter", "W") + + # Removing unnecessary characters + - trim: + function: prefix + substring: '|' + fields: + - log.productVendor + + - trim: + function: suffix + substring: '|' + fields: + - log.productVendor + - log.product + - log.productVersion + - log.signatureID + - log.eventType + - log.severity + + - trim: + function: suffix + substring: ':' + fields: + - log.trheadId + + - trim: + function: suffix + substring: '/' + fields: + - log.processId + + - trim: + function: prefix + substring: '<' + fields: + - log.syslogPriority + + - trim: + function: suffix + substring: '>' + fields: + - log.syslogPriority + + - trim: + function: prefix + substring: ',' + fields: + - log.trheadId + - log.processId + - log.eventType + - log.eventSource + - log.processName + - log.processPath + - log.platform + - origin.path + + - trim: + function: suffix + substring: ',' + fields: + - log.trheadId + - log.component + - log.platform + - origin.path + - log.eventSource + - log.processId + - log.methodName + + - trim: + function: prefix + substring: '"' + fields: + - command + + - trim: + function: suffix + substring: '"' + fields: + - command + + - trim: + function: prefix + substring: '[' + fields: + - log.eventTime + - log.processId + - log.severityLabelCharacter + + - trim: + function: suffix + substring: ']' + fields: + - log.status + - log.errorCode + - log.returnCode + - log.severityLabelCharacter + - log.trheadId + + # Using the kv filter with default config, usefull in key-value logs + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restData + + # Using the kv filter with other config, usefull in key-value logs + - kv: + fieldSplit: ", " + valueSplit: "=" + source: log.pidStatusToKv + + # Adding severity based on log.severityLabelCharacter + - add: + function: 'string' + params: + key: severity + value: 'high' + where: oneOf("log.severityLabelCharacter", ["C", "A", "E"]) + + - add: + function: 'string' + params: + key: severity + value: 'medium' + where: equals("log.severityLabelCharacter", "W") + + - add: + function: 'string' + params: + key: severity + value: 'low' + where: oneOf("log.severityLabelCharacter", ["D", "V", "N", "I", "T"]) + + # Removing unused fields + - delete: + fields: + - log.0trash + - log.1trash + - log.restData + - log.restMessage + - log.restDataMessage + - log.irrelevant + - log.messageWithTrash + - log.restMessageToKv + - log.pidStatusToKv + - log.userWithTrash + - log.severityLabelCharacter + + + $$ + WHERE id = 1512 ; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_aix_ibm.xml b/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_aix_ibm.xml new file mode 100644 index 000000000..700b33d8c --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210006_update_filter_aix_ibm.xml @@ -0,0 +1,588 @@ + + + + + + + ' + - fieldName: log.deviceTime + pattern: '{{.monthName}}{{.space}}{{.monthDay}}{{.space}}{{.time}}' + - fieldName: log.msgInit + pattern: '{{.greedy}}' + source: raw + + #......................................................................# + # Removing unnecessary characters of the syslogHeader + #......................................................................# + - trim: + function: prefix + substring: "<" + fields: + - log.priority + - trim: + function: suffix + substring: ">" + fields: + - log.priority + + # .......................................................................# + # Checking that the message contains Message forwarded from + # .......................................................................# + - grok: + patterns: + - fildName: log.irrelevant + pattern: 'Message(\s)forwarded(\s)from' + - fieldName: from.host + pattern: '{{.data}}(\:)' + - fieldName: log.msgAll + pattern: '{{.greedy}}' + source: log.msgInit + where: contains("log.msgInit", "Message forwarded from") + + # Removing unnecessary characters + - trim: + function: suffix + substring: ":" + fields: + - from.host + + #......................................................................# + # Checking that the message contains TTY= or PWD= or COMMAND= or USER= + #......................................................................# + - grok: + patterns: + - fieldName: log.commandType + pattern: '{{.data}}(\:)' + - fieldName: origin.user + pattern: '{{.data}}(\s)?(\:)' + - fieldName: log.msgWithTTY + pattern: '{{.greedy}}' + source: log.msgAll + where: contains("log.msgAll", "TTY=") || contains("log.msgAll", "PWD=") || contains("log.msgAll", "USER=") || contains("log.msgAll", "COMMAND=") + + # Removing unnecessary characters + - trim: + function: suffix + substring: ":" + fields: + - log.commandType + - origin.user + # ......................................................................# + # Using grok to parse msgWithTTY individual fields + # If "TTY=" in [msgWithTTY] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(TTY=)' + - fieldName: log.tty + pattern: '{{.data}}(\;)' + - fieldName: log.msgWithTTY + pattern: '{{.greedy}}' + source: log.msgWithTTY + where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=") + + # ......................................................................# + # If "PWD=" in [msgWithTTY] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(PWD=)' + - fieldName: log.pwd + pattern: '{{.data}}(\;)' + - fieldName: log.msgWithTTY + pattern: '{{.greedy}}' + source: log.msgWithTTY + where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=") + + # ......................................................................# + # If "USER=" in [msgWithTTY] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(USER=)' + - fieldName: origin.user + pattern: '{{.data}}(\;)' + - fieldName: log.msgWithTTY + pattern: '{{.greedy}}' + source: log.msgWithTTY + where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=") + + # ......................................................................# + # If "COMMAND=" in [msgWithTTY] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(COMMAND=)' + - fieldName: origin.command + pattern: '{{.greedy}}' + source: log.msgWithTTY + where: contains("log.msgWithTTY", "TTY=") || contains("log.msgWithTTY", "PWD=") || contains("log.msgWithTTY", "USER=") || contains("log.msgWithTTY", "COMMAND=") + + # ......................................................................# + # Using grok to parse msgAll + # ......................................................................# + - grok: + patterns: + - fieldName: log.commandType + pattern: '{{.data}}(\:)' + - fieldName: origin.user + pattern: '{{.data}}(\s)?(\:)' + - fieldName: log.irrelevant + pattern: '{{.data}}\)' + - fieldName: origin.command + pattern: '{{.greedy}}' + source: log.msgAll + where: contains("log.msgAll", "(command continued)") + + # ......................................................................# + # Removing unnecessary characters + # ......................................................................# + - trim: + function: suffix + substring: ";" + fields: + - log.tty + - log.pwd + - origin.user + - trim: + function: suffix + substring: ":" + fields: + - log.commandType + - origin.user + + # ......................................................................# + # if message.matches("\\w+\\[[0-9]+\\]\\:") to parse msgAll + # ......................................................................# + - grok: + patterns: + - fieldName: log.eventType + pattern: '{{.data}}\[' + - fieldName: log.pid + pattern: '{{.integer}}\]:' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msgAll + where: regexMatch("log.msgAll", "\\w+\\[[0-9]+\\]\\:") + + # ......................................................................# + # Removing unnecessary characters + # ......................................................................# + - trim: + function: suffix + substring: "[" + fields: + - log.eventType + - trim: + function: suffix + substring: "]:" + fields: + - log.pid + + # ......................................................................# + # Format where the LENGTH, SESSIONID, ENTRYID, STATEMENT, USERID, USERHOST, ACTION, RETURNCODE, OBJ$CREATOR, OBJ$NAME, and OS$USERID fields exist + # ......................................................................# + # if ("LENGTH" in [message] or "SESSIONID" in [message] or "ENTRYID" in [message] or "STATEMENT" in [message] or "USERID" in [message] or "USERHOST" in [message] or "ACTION" in [message] + # or "RETURNCODE" in [message] or "OBJ$CREATOR" in [message] or "OBJ$NAME" in [message] or "OS$USERID" in [message]) + # ......................................................................# + # Using grok to parse msg individual fields + # ......................................................................# + # If "LENGTH:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(LENGTH:)' + - fieldName: log.length + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "SESSIONID:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(SESSIONID:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.sessionID + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "ENTRYID:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(ENTRYID:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.entryID + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "STATEMENT:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(STATEMENT:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.statement + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "USERID:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(USERID:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.userID + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "USERHOST:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(USERHOST:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.userHost + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "ACTION:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(ACTION:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: action + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "RETURNCODE:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(RETURNCODE:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.returnCode + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "OBJ$CREATOR:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(OBJ$CREATOR:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.objCreator + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "OBJ$NAME:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(OBJ$NAME:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.objName + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # If "OS$USERID:" in [msg] + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '(OS$USERID:)' + - fieldName: log.irrelevant + pattern: '\[{{.data}}\]' + - fieldName: log.osUserID + pattern: '\"{{.data}}\"' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ...................................................................... + # Removing msg field + # ...................................................................... + - delete: + fields: + - log.msg + where: contains("log.msg", "LENGTH:") || contains("log.msg", "SESSIONID:") || contains("log.msg", "ENTRYID:") || contains("log.msg", "STATEMENT:") || contains("log.msg", "USERID:") || contains("log.msg", "USERHOST:") || contains("log.msg", "ACTION:") || contains("log.msg", "RETURNCODE:") || contains("log.msg", "OBJ$CREATOR:") || contains("log.msg", "OBJ$NAME:") || contains("log.msg", "OS$USERID:") + + # ......................................................................# + # if ([msg]=~/from(.+)port/) + # ......................................................................# + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.greedy}}from(\s)' + - fieldName: origin.ip + pattern: '{{.ipv4}}' + - fieldName: log.irrelevant + pattern: '(port)' + - fieldName: origin.port + pattern: '{{.integer}}' + - fieldName: log.restMsg + pattern: '{{.greedy}}' + source: log.msg + where: regexMatch("log.msg", "from(.+)port") + + - grok: + patterns: + - fieldName: log.irrelevant + pattern: '{{.greedy}}from(\s)user(\s)' + - fieldName: origin.user + pattern: '{{.word}}' + - fieldName: origin.ip + pattern: '{{.ipv4}}' + - fieldName: log.irrelevant + pattern: '(port)' + - fieldName: origin.port + pattern: '{{.greedy}}' + source: log.msg + where: regexMatch("log.msg", "from(.+)port") + + # ......................................................................# + # if restmsg contains protocol SSH and SHA256 + # ......................................................................# + - grok: + patterns: + - fieldName: protocol + pattern: '{{.data}}(\:)' + - fieldName: log.sshKey + pattern: '{{.word}}' + - fieldName: log.irrelevant + pattern: '{{.data}}(\:)' + - fieldName: origin.sha256 + pattern: '{{.greedy}}' + source: log.restMsg + where: contains("log.restMsg", "ssh") && contains("log.restMsg", "SHA256") + + # ......................................................................# + # Fileds conversions + # ......................................................................# + - cast: + fields: + - origin.port + to: int + + # ......................................................................# + # Removing unnecessary characters + # ......................................................................# + - trim: + function: suffix + substring: ':' + fields: + - log.eventType + - protocol + + # ......................................................................# + # Using grok to parse msgAll + # ......................................................................# + - grok: + patterns: + - fieldName: log.eventType + pattern: '{{.word}}(\:)' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msgAll + + - grok: + patterns: + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msgAll + + # ......................................................................# + # Using grok to parse msgInit + # ......................................................................# + - grok: + patterns: + - fieldName: log.eventType + pattern: '{{.word}}(\:)' + - fieldName: log.irrelevant + pattern: '{{.data}}(\[)' + - fieldName: log.pid + pattern: '{{.integer}}(\])' + - fieldName: log.msg + pattern: '{{.greedy}}' + source: log.msgInit + # ......................................................................# + + # ......................................................................# + # Removing unnecessary characters + # ......................................................................# + - trim: + function: suffix + substring: ':' + fields: + - log.eventType + + - trim: + function: suffix + substring: ']' + fields: + - log.pid + + # ......................................................................# + # Removing unnecessary characters + # ......................................................................# + - trim: + function: suffix + substring: '"' + fields: + - log.length + - log.sessionID + - log.entryID + - log.statement + - log.userID + - log.userHost + - action + - log.returnCode + - log.objCreator + - log.objName + - log.osUserID + + - trim: + function: prefix + substring: '"' + fields: + - log.length + - log.sessionID + - log.entryID + - log.statement + - log.userID + - log.userHost + - action + - log.returnCode + - log.objCreator + - log.objName + - log.osUserID + + # Adding geolocation to origin.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Adding geolocation to target.ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: target.ip + destination: target.geolocation + where: exists("target.ip") + + # ..........................................................................# + # Remove issues fileds + # ..........................................................................# + - delete: + fields: + - log.irrelevant + - log.msgWithTTY + - log.msgAll + - log.msgInit + - log.restMsg + + + $$ + WHERE id = 1525; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml b/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml new file mode 100644 index 000000000..91ca908e5 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210007_update_filter_o365.xml @@ -0,0 +1,124 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml b/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml new file mode 100644 index 000000000..aaf4e3d46 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210008_update_filter_windows_events.xml @@ -0,0 +1,2998 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml b/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml new file mode 100644 index 000000000..ed77c3aae --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260210009_update_data_input_status_checkpoint.xml @@ -0,0 +1,20 @@ + + + + + + + + + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml new file mode 100644 index 000000000..d7257df07 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260211001_update_filter_bit_defender.xml @@ -0,0 +1,287 @@ + + + + + + + ' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.notDefined + pattern: '{{.integer}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.hostId + pattern: '{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}' + - fieldName: log.processPid + pattern: '\[{{.integer}}\]' + - fieldName: log.1trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.hostId + pattern: '{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}' + - fieldName: log.processPid + pattern: '\[{{.integer}}\]' + - fieldName: log.1trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.syslogHostIP + pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.syslogVersion + pattern: '{{.integer}}' + - fieldName: log.syslogDeviceTime + pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.syslogPriority + pattern: '\<{{.data}}\>' + - fieldName: log.0trash + pattern: '{{.word}}\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + - grok: + patterns: + - fieldName: log.cefVersion + pattern: 'CEF\:{{.integer}}' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: raw + + # Using grok to parse components of the cef_message + - grok: + patterns: + - fieldName: log.productVendor + pattern: '\|{{.data}}\|' + - fieldName: log.product + pattern: '{{.data}}\|' + - fieldName: log.productVersion + pattern: '{{.data}}\|' + - fieldName: log.signatureID + pattern: '{{.data}}\|' + - fieldName: log.eventType + pattern: '{{.data}}\|' + - fieldName: log.severity + pattern: '{{.data}}\|' + - fieldName: log.restData + pattern: '{{.greedy}}' + source: log.restData + + # Using grok to parse kv issued fields with space + - grok: + patterns: + - fieldName: log.2trash + pattern: '{{.data}}dvc=' + - fieldName: log.dvcToParse + pattern: '{{.data}}{{.word}}\=' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + - grok: + patterns: + - fieldName: log.2trash + pattern: '{{.data}}request=' + - fieldName: log.requestToParse + pattern: '{{.data}}{{.word}}\=' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.restData + + # Applying grok to remove unnecessary data + - grok: + patterns: + - fieldName: log.deviceIps + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.dvcToParse + + - grok: + patterns: + - fieldName: log.requested + pattern: '{{.greedy}}{{.space}}' + - fieldName: log.irrelevant + pattern: '{{.greedy}}' + source: log.requestToParse + + # Using the kv filter with default config, usefull in key-value logs + - kv: + fieldSplit: " " + valueSplit: "=" + source: log.restData + + # Renaming useful fields + - rename: + from: + - log.spt + to: origin.port + + - rename: + from: + - log.src + to: origin.ip + + - rename: + from: + - log.sproc + to: origin.path + + - rename: + from: + - log.filePath + to: origin.path + + # Removing unnecessary characters + - trim: + function: prefix + substring: '|' + fields: + - log.productVendor + + - trim: + function: suffix + substring: '|' + fields: + - log.productVendor + - log.product + - log.productVersion + - log.signatureID + - log.eventType + - log.severity + + - trim: + function: prefix + substring: '<' + fields: + - log.syslogPriority + + - trim: + function: suffix + substring: '>' + fields: + - log.syslogPriority + + - trim: + function: prefix + substring: '[' + fields: + - log.processPid + + - trim: + function: suffix + substring: ']' + fields: + - log.processPid + + # Adding geolocation to origin ip + - dynamic: + plugin: com.utmstack.geolocation + params: + source: origin.ip + destination: origin.geolocation + where: exists("origin.ip") + + # Reformat and field conversions + - cast: + fields: + - origin.port + to: int + + # Removing unused fields + - delete: + fields: + - log.0trash + - log.1trash + - log.2trash + - log.restData + - log.irrelevant + - log.spt + - log.src + - log.sproc + - log.filePath + - log.dvc + - log.request + - log.dvcToParse + - log.cefVersion + $$ + WHERE id = 1514; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml new file mode 100644 index 000000000..50ae828bb --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260211002_update_utm_correlation_seq.xml @@ -0,0 +1,16 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml new file mode 100644 index 000000000..44e923b60 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20260211003_update_filter_netflow.xml @@ -0,0 +1,295 @@ + + + + + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql b/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql new file mode 100644 index 000000000..60df0f5c3 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql @@ -0,0 +1,12942 @@ +TRUNCATE TABLE utm_correlation_rules RESTART IDENTITY CASCADE; +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (1, 'Antivirus Service Stopped or Disabled', 2, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the Bitdefender antivirus service or critical security modules are stopped, disabled, or experiencing failures. This is a critical security event that could indicate malicious tampering or system issues. + +Next Steps: +- Verify if the service was intentionally stopped by authorized personnel +- Check system logs for any errors or crashes that may have caused the service to stop +- Look for signs of malware or unauthorized access attempts around the time of the event +- Review recent system changes or updates that might have affected the antivirus service +- If tampering is suspected, isolate the affected system and perform a forensic analysis +- Restart the Bitdefender service and ensure all modules are functioning properly +- Monitor for recurring issues that might indicate persistent threats +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.eventType", "modules") || + equals("log.eventType", "Product ModulesStatus") || + equals("log.eventType", "registration")) && +(oneOf("log.severity", ["high", "5"]) || + contains("log.product", "disabled") || + contains("log.product", "stopped") || + (contains("log.restData", "module") && contains("log.restData", "stopped")) || + (contains("log.restData", "module") && contains("log.restData", "disabled")) || + (contains("log.restData", "av") && contains("log.restData", "failure"))) +', '2026-02-09 16:28:45.181415', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (2, 'Bitdefender AV Policy Weakened', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when Bitdefender GravityZone antivirus policies are weakened by administrators, such as disabling real-time protection, reducing scan aggressiveness, or adding broad exclusions. This could indicate a compromised admin account or insider threat. + +Next Steps: +1. Identify the administrator who modified the policy +2. Verify the policy change was authorized through change management +3. Review the specific settings that were weakened +4. Check for concurrent suspicious activity on managed endpoints +5. Restore the previous policy configuration if unauthorized +6. Review admin account access logs for compromise indicators +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.message", ["policy", "configuration", "setting"]) && + (contains("log.message", ["disabled", "weakened", "reduced", "lowered", "excluded"]) || + (contains("log.message", "real-time") && contains("log.message", "off")) || + (contains("log.message", "exclusion") && contains("log.message", "added")) || + (contains("log.message", "protection") && contains("log.message", "disabled")))) && +exists("log.severity") +', '2026-02-09 16:28:45.307390', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (3, 'Bootkit/UEFI Threat Detection', 3, 3, 3, 'Defense Evasion, Persistence', 'T1542.001 - Boot or Logon Autostart Execution: System Firmware', 'Detects bootkit or UEFI-level threats that attempt to persist at the firmware level and compromise the boot process. These threats can survive system reinstalls and bypass traditional security measures by infecting the system firmware. + +Next Steps: +- Isolate the affected system immediately to prevent spread +- Review system boot logs and firmware settings for modifications +- Check for other malware detections on the same host in the past 24-48 hours +- Verify system integrity using offline scanning tools +- Consider reimaging the system and updating firmware/UEFI +- Enable Secure Boot if not already enabled +- Review user activity and recently installed software on the affected system +- Document the infection for incident response reporting +- Check if other systems with similar hardware/firmware versions are affected +', '["https://attack.mitre.org/techniques/T1542/001/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'equals("log.eventType", "av") && +greaterOrEqual("log.severity", 8) && +( + contains("log.requested", ["boot", "uefi", "rootkit", "firmware"]) || + contains("log.restData", ["boot", "uefi", "rootkit", "firmware", + "\\EFI\\", "/EFI/", "\\boot\\", "/boot/"]) +) +', '2026-02-09 16:28:45.432145', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.severity"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (4, 'Bitdefender Console Used for Lateral Movement', 3, 3, 3, 'Lateral Movement', 'T1072 - Software Deployment Tools', 'Detects when the Bitdefender GravityZone management console is potentially being used to push malicious policies, scripts, or tasks to managed endpoints, indicating a compromised admin account being leveraged for lateral movement. + +Next Steps: +1. Review all recent task and policy deployments from the console +2. Identify the admin account used and verify its legitimacy +3. Check for unusual login patterns to the GravityZone console +4. Review the content of pushed policies for malicious configurations +5. Suspend the admin account if compromise is suspected +6. Audit all managed endpoints for signs of compromise +', '["https://attack.mitre.org/techniques/T1072/","https://www.bitdefender.com/business/support/en/77212-237089-event-types.html"]', '(contains("log.message", ["remote task", "deploy", "push policy", "execute script"]) || + (contains("log.message", "task") && contains("log.message", "created") && + (contains("log.message", "scan") || contains("log.message", "install") || + contains("log.message", "uninstall") || contains("log.message", "execute")))) && +exists("log.severity") +', '2026-02-09 16:28:45.567103', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (5, 'Advanced Persistent Threat (APT) Detection', 3, 3, 2, 'Command and Control', 'TA0011 - Application Layer Protocol', 'Detects indicators of Advanced Persistent Threats including targeted attacks, sophisticated malware, and persistent threats detected by Bitdefender GravityZone''s HyperDetect module. + +Next Steps: +- Investigate the affected endpoint to determine the scope of compromise +- Review process execution history and network connections from the affected system +- Check for lateral movement by examining authentication logs from the same source IP +- Isolate the affected system if active threat is confirmed +- Collect forensic artifacts including memory dumps and event logs +- Search for similar malware indicators across the environment +- Review user account activities for signs of credential compromise +- Contact security operations center if threat actors match known APT groups +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/tactics/TA0011/"]', 'equals("log.product", "Bitdefender GravityZone") && +greaterOrEqual("log.severity", 8) && +( + contains("log.eventType", ["apt", "targeted", "advanced", "persistent", "hyperdetect"]) || + contains("log.restData", ["apt", "targeted attack", "advanced persistent", + "lazarus", "equation", "sofacy", "cozy bear", "fancy bear", + "panda", "kitten", "carbanak", "fin7", "fileless"]) || + equals("log.signatureID", "hyperdetect") +) && +exists("log.hostId") +', '2026-02-09 16:28:45.697226', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (6, 'Crypto-Mining Detection', 2, 2, 3, 'Impact', 'T1496 - Resource Hijacking', 'Detects cryptocurrency mining activities including miners, coin miners, and cryptojacking attempts detected by Bitdefender GravityZone. + +Next Steps: +- Review the affected endpoint details (hostname, IP) to identify the compromised system +- Check CPU and memory usage patterns on the affected system for unusual spikes +- Look for network connections to known mining pools or suspicious outbound traffic +- Search for related processes running with names like xmrig, minerd, cgminer, or bfgminer +- Review recent file downloads and installations on the affected system +- Check for persistence mechanisms (scheduled tasks, startup items, services) +- Isolate the affected system if active mining is confirmed +- Run a full system scan with updated definitions +- Consider reimaging the system if compromise is extensive', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1496/"]', 'equals("log.productVendor", "Bitdefender") && +equals("log.product", "GravityZone") && +( + contains("log.eventType", ["miner", "coin", "crypto", "CoinMiner"]) || + contains("log.requested", ["miner", "coin", "xmr", "monero", "bitcoin", + "ethereum", "xmrig", "minerd", "cgminer", "bfgminer", "coinhive"]) +) +', '2026-02-09 16:28:45.842442', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (7, 'Email-Based Threat Spreading', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects email-based malware spreading including phishing attempts, malicious attachments, and email-borne threats through Bitdefender''s Exchange protection. This rule triggers on Exchange-specific malware events and monitors for patterns of email-based threats. + +Next Steps: +1. Investigate the affected email and sender: + - Check the sender''s email address and domain reputation + - Review email headers for spoofing indicators + - Analyze attachment hash values if present in log.restData + - Check log.severity for threat level assessment +2. Review related events: + - Look for similar events from the same sender or to other recipients + - Check if the email was delivered or blocked + - Verify if any users clicked links or opened attachments + - Search for the same signatureID across other hosts +3. Remediation actions: + - If delivered, recall the email from all recipients immediately + - Reset credentials if phishing was successful + - Block sender domain/IP at email gateway + - Update email security policies if needed + - Scan affected endpoints for malware if attachments were opened + - Update Bitdefender Exchange protection rules +4. Investigation commands: + - Check host status: Verify log.hostId endpoint protection status + - Review product version: Ensure log.productVersion is up to date + - Analyze event patterns: Look for unusual log.eventType combinations +', '["https://attack.mitre.org/techniques/T1566/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'oneOf("log.eventType", ["exchange-malware", "exchange-user-credentials", "exchange-organization-info"]) || +(contains("log.eventType", "exchange") && equals("log.severity", "High")) || +(contains("log.product", "Exchange") && contains("log.eventType", ["malware", "phishing"])) +', '2026-02-09 16:28:45.976907', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (8, 'Fileless Malware Detection', 2, 2, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects fileless malware attacks including PowerShell-based attacks, memory injection, and living-off-the-land techniques using Bitdefender GravityZone''s HyperDetect and Command-Line Scanner modules. These attacks execute malicious code directly in memory without writing to disk, making them harder to detect with traditional antivirus. + +Next Steps: +- Isolate the affected endpoint immediately to prevent lateral movement +- Review process tree to identify the parent process and initial attack vector +- Check for PowerShell command history and script blocks (Event ID 4104) +- Look for suspicious WMI activity or unusual process spawning patterns +- Examine network connections from the affected process +- Collect memory dump if the process is still running +- Review user activity to determine if account is compromised +- Apply security patches if exploitation of vulnerability is suspected +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1055/","https://www.bitdefender.com/en-us/business/gravityzone-platform/fileless-attack-defense"]', 'oneOf("log.eventType", ["fileless_attack", "hyperdetect_fileless", "command_line_scanner"]) || +( + equals("log.eventType", "malware_detected") && + contains("log.restData", ["fileless", "memory injection", "powershell", + "wscript", "cscript", "mshta", "regsvr32", "rundll32"]) +) || +( + oneOf("log.severity", ["HIGH", "CRITICAL"]) && + contains("log.restData", "code injection") +) +', '2026-02-09 16:28:46.092180', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (9, 'Bitdefender GravityZone High Severity Threat Detection', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Detects high-severity malware threats identified by Bitdefender GravityZone that require immediate attention. This rule triggers on severity levels 8-10, which indicate critical threats such as trojans, ransomware, rootkits, or other advanced malware. + +Next Steps: +1. Immediately isolate the affected endpoint(s) from the network to prevent lateral movement +2. Review the threat details in Bitdefender GravityZone console: + - Check threat name and malware type from the event details + - Verify the affected file path and process information + - Review the action taken by Bitdefender (quarantine, delete, etc.) +3. Investigate the source of infection: + - Check origin.ip and origin.path for the malware source + - Review recent user activity and email attachments + - Look for similar threats on other endpoints +4. Perform forensic analysis: + - Collect memory dumps if rootkit or fileless malware is suspected + - Check for persistence mechanisms (registry, scheduled tasks, services) + - Review network connections from the affected host +5. Remediation actions: + - Ensure Bitdefender has successfully cleaned/quarantined the threat + - Run full system scan on affected and neighboring systems + - Update antivirus signatures and security policies + - Consider reimaging if system integrity is compromised +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1204/002/","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.severity", ["8", "9", "10"]) && oneOf("log.eventType", ["avc", "malware_detected", "av"])', '2026-02-09 16:28:46.176247', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","lastEvent.log.syslogHostIP"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (149, 'Azure Global Administrator Role Addition to PIM User', 3, 3, 3, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when users are granted Global Administrator (Company Administrator) role assignments through Azure AD/Entra ID Privileged Identity Management (PIM). + +**Security Context:** +The Global Administrator role is the most powerful administrative role in Azure AD/Entra ID, granting complete control over all aspects of the directory and services that use Azure AD identities. PIM enables just-in-time privileged access through eligible (requires activation) or time-bound assignments. Adversaries who gain sufficient privileges may add themselves or other compromised accounts to this role to establish persistence and maintain full administrative control over the tenant. + +**Detection Logic:** +This rule monitors AuditLogs for successful PIM role assignments specifically for the Global Administrator role. It detects both: +- **Eligible assignments (permanent)**: User can activate the role when needed +- **Active assignments (time-bound)**: Role is directly active for a specified duration + +The rule identifies these assignments through the operation names and filters for the Global Administrator role specifically. + +**Investigation Steps:** +1. Identify the assignor: Check log.propertiesInitiatedBy for who made the role assignment +2. Identify the assignee: Examine log.propertiesTargetResources for the user receiving the role +3. Verify authorization: Confirm if this assignment was part of approved privileged access request +4. Check assignment type: Determine if it''s eligible (requires activation) or time-bound (direct) +5. Review duration: For time-bound assignments, check the duration of the assignment +6. Analyze timing: Determine if assignment follows suspicious authentication or compromise indicators +7. Review justification: Check if a business justification was provided in log.propertiesAdditionalDetails +8. Check user history: Review the assignee''s account for recent suspicious activity +9. Examine recent actions: Look for privileged operations performed immediately after assignment +10. Correlate with sign-ins: Check for unusual authentication patterns before/after assignment + +**Recommended Actions:** +- If unauthorized, immediately revoke the Global Administrator role assignment +- Review all recent PIM role assignments for anomalies +- Enable PIM approval workflows for Global Administrator role assignments +- Implement maximum assignment duration limits for time-bound assignments +- Require MFA and justification for all Global Administrator activations +- Enable PIM alerts for high-privilege role assignments +- Audit accounts with Privileged Role Administrator permissions +- Review and limit the number of permanent Global Administrator assignments +- Enable Azure AD Identity Protection to detect compromised credentials +- Implement break-glass emergency access accounts following best practices + +**PIM Assignment Types:** +- **Eligible (permanent)**: User must activate the role when needed, typically with MFA and justification +- **Active (time-bound)**: Role is directly assigned for a limited duration without activation required +- Both types should be monitored as adversaries may use either for persistence + +**Common Attack Patterns:** +- Compromised Privileged Role Administrator adding backdoor accounts +- Insider threat establishing persistent administrative access +- Privilege escalation from lower-privilege administrative roles +- Adding service principals or managed identities to Global Administrator role +- Creating long-duration time-bound assignments for sustained access + +**MITRE ATT&CK Reference:** T1098.001 - Account Manipulation: Additional Cloud Credentials + +**Azure Documentation:** +- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs +- PIM for Azure AD roles: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure +', '["https://attack.mitre.org/techniques/T1098/001/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure","https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator"]', 'equalsIgnoreCase("log.category", "AuditLogs") && +(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS")) && +(contains("log.operationName", "Add eligible member to role") || contains("log.operationName", "Add member to role")) && +(contains("log.properties.targetResources.displayName", "Global Administrator") || contains("log.properties.targetResources.displayName", "Company Administrator")) +', '2026-02-09 16:31:20.596213', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (10, 'Memory-Based Threat Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects memory-based threats including process injection, memory manipulation, and fileless malware executing in memory based on Bitdefender GravityZone event types. + +Next Steps: +1. Identify the affected process and host using log.hostId and origin.path fields +2. Check if the process is legitimate or if it shows signs of compromise +3. Review the process tree to identify parent-child relationships +4. Look for other suspicious activities on the same host in the last hour +5. Collect memory dump if the process is still running +6. Analyze network connections from the affected process +7. Check for persistence mechanisms on the affected system +8. Isolate the host if active malicious behavior is confirmed +', '["https://attack.mitre.org/techniques/T1055/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', 'exists("log.eventType") && +(oneOf("log.eventType", ["aph", "antiexploit", "hd"]) || + (exists("origin.path") && contains("origin.path", "memory"))) && +(oneOf("log.severity", ["critical", "high"]) || + exists("log.malwareName") || + exists("log.threatName")) +', '2026-02-09 16:28:46.350884', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","adversary.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (11, 'Malware Outbreak Detection - Multiple Hosts Infected', 3, 3, 3, 'Command and Control', 'T1105 - Ingress Tool Transfer', 'Detects when the same malware signature or threat is detected on multiple endpoints within a short time window. This pattern indicates a potential malware outbreak spreading across the network environment. + +Next Steps: +1. Immediately isolate affected endpoints to prevent further spread +2. Identify the malware signature ID and research its capabilities and impact +3. Check network logs for lateral movement patterns between infected hosts +4. Review the initial infection vector - check email logs, web proxy logs, and USB device usage +5. Verify antivirus definitions are up-to-date on all endpoints +6. Conduct memory and disk forensics on patient zero if identifiable +7. Check for persistence mechanisms on infected systems +8. Review domain controller and authentication logs for credential compromise +9. Document all affected systems and timeline for incident response +10. Consider engaging incident response team if outbreak involves critical systems +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1105/"]', 'equals("log.eventType", "AntiMalware") && +oneOf("log.severity", ["4", "5"]) && +exists("log.signatureID") && +exists("log.syslogHostIP") +', '2026-02-09 16:28:46.496449', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.signatureID","operator":"filter_term","value":"{{log.signatureID}}"},{"field":"log.eventType","operator":"filter_term","value":"AntiMalware"}],"or":null,"within":"now-2h","count":10}]', '["lastEvent.log.signatureID","lastEvent.log.syslogHostIP"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (12, 'Multiple Malware Detections from Single Source', 3, 3, 2, 'Command and Control', 'T1105 - Ingress Tool Transfer', 'Detects when multiple malware threats are detected on a single host within a short time period. This could indicate a compromised system actively spreading malware or an attacker launching multiple malware variants. + +Next Steps: +1. Investigate the affected host: + - Identify the system using the hostId field + - Check if it''s a critical system or server + - Review recent user activity on the host +2. Analyze the detected malware: + - Review the malware types and names detected (signatureID field) + - Check file paths and processes involved + - Determine if malware was successfully quarantined +3. Check for lateral movement: + - Look for connections from the affected host to other internal systems + - Review authentication logs for suspicious activity + - Check for file share access patterns +4. Remediation actions: + - Isolate the affected system if confirmed compromised + - Run full system scans on potentially affected systems + - Update antivirus signatures and definitions + - Consider reimaging if system is severely compromised +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1105/"]', 'equals("log.eventType", "AntiMalware") && +oneOf("log.severity", ["4", "5"]) && +exists("log.hostId") +', '2026-02-09 16:28:46.621867', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"},{"field":"log.eventType","operator":"filter_term","value":"AntiMalware"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (13, 'Network-Based Threat Detection', 3, 2, 3, 'Command and Control', 'T1071 - Application Layer Protocol: Command and Control', 'Detects network-based threats including C2 communications, malicious network activity, and suspicious network connections identified by Bitdefender GravityZone. + +Next Steps: +1. Identify the affected host using log.hostId and check for other security events from this system +2. Review origin.ip to determine if it''s a known malicious IP or C2 server +3. Check firewall logs for any blocked or allowed connections to/from the suspicious IP +4. Investigate running processes on the affected host for signs of malware +5. Review network traffic patterns for data exfiltration attempts +6. If ransomware is detected, immediately isolate the affected system +7. Collect network packet captures if available for deeper analysis +8. Check if other hosts have communicated with the same external IP address +9. Submit suspicious IPs to threat intelligence platforms for reputation checking +10. Document findings and update firewall rules to block confirmed malicious IPs +', '["https://attack.mitre.org/techniques/T1071/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', '(oneOf("log.eventType", ["network-sandboxing", "fw"]) && + oneOf("log.severity", ["high", "critical", "4", "5"])) || +(exists("origin.ip") && contains("log.eventType", "network") && + contains("log.restData", ["malware", "threat", "blocked", "c2", "botnet"])) || +(equals("log.severity", "critical") && contains("log.product", "network")) +', '2026-02-09 16:28:46.751926', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"},{"field":"log.eventType","operator":"filter_term","value":"network-sandboxing"}],"or":null,"within":"now-4h","count":3}],"within":"now-2h","count":5}]', '["lastEvent.log.hostId","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (24, 'Deception API Call Tracking', 2, 2, 1, 'Execution', 'T1106 - Native API', 'Tracks suspicious API calls made to decoy services or endpoints. This behavior indicates an attacker is attempting to interact with what they believe are legitimate services but are actually deception assets. + +Next Steps: +- Review the source IP address and check if it''s from a known legitimate source +- Examine the API endpoint accessed and the HTTP method used +- Look for other activity from the same IP address across all log sources +- Check if the source IP has accessed multiple decoy endpoints (indicating reconnaissance) +- Investigate any authentication tokens or credentials used in the API calls +- Consider blocking the source IP if malicious intent is confirmed +- Document the attack pattern for threat intelligence sharing +', '["https://attack.mitre.org/techniques/T1106/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "api_call") && equals("log.isDecoy", "true") && exists("log.httpMethod") && exists("origin.ip")', '2026-02-09 16:28:48.236834', true, false, 'origin', null, '[]', '["lastEvent.log.apiEndpoint","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (14, 'Bitdefender GravityZone Quarantine Failure Detection', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when Bitdefender GravityZone fails to quarantine detected malware. This could indicate that the malware is actively resisting remediation attempts or that there are permission issues preventing proper quarantine. + +Next Steps: +- Immediately isolate the affected system from the network +- Check if the malware process is still running and attempt manual termination +- Verify antivirus permissions and ensure it has necessary privileges +- Review system logs for signs of privilege escalation or rootkit activity +- Consider reimaging the system if quarantine continues to fail +- Check for similar failures on other systems in the environment +- Investigate the specific malware detected and research its capabilities +- Review quarantine configuration and storage capacity +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'oneOf("log.eventType", ["quarantine_failed", "quarantine_failure"]) || +(equals("log.eventType", "AntiMalware") && + (containsAll("log.requestToParse", ["quarantine", "fail"]) || + contains("log.restData", ["quarantine failed", "unable to quarantine", "failed to quarantine"]) || + (equals("log.severity", "failure") && contains("log.requestToParse", "quarantine")))) +', '2026-02-09 16:28:46.891407', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (15, 'Ransomware Behavior Detection', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware behavior patterns including file encryption attempts, mass file modifications, and ransomware-specific malware types detected by Bitdefender GravityZone. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent spread +2. Check for recent backup availability and integrity +3. Review process execution history on the affected host +4. Look for suspicious file modifications or mass encryption activities +5. Check for ransomware notes or changed file extensions +6. Investigate the source of infection (email attachments, downloads, RDP compromise) +7. Scan other systems for similar indicators +8. Consider engaging incident response team for containment and recovery +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1486/"]', '(contains("log.message", ["ransomware", "ransom", "locky", "cerber", + "wannacry", "petya", "ryuk", "sodinokibi", "maze"]) || + contains("log.signatureID", "ransomware") || + (equals("log.severity", "10") && contains("log.eventType", "malware"))) && +exists("log.severity") +', '2026-02-09 16:28:47.031671', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-10m","count":5}]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (16, 'Real-time Protection Disabled', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when real-time protection features are disabled on an endpoint. This is a critical security event as it leaves the system vulnerable to malware infections and requires immediate investigation. + +Next Steps: +1. Immediately investigate who disabled the real-time protection and why +2. Check if the action was authorized by IT security team +3. Review recent activity on the affected endpoint for signs of compromise +4. Re-enable real-time protection if the action was unauthorized +5. Check for any malware infections that may have occurred while protection was disabled +6. Review system logs for any suspicious activities during the protection downtime +7. Consider implementing additional controls to prevent unauthorized disabling of security tools +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'exists("log.syslogHostIP") && +( + (equals("log.eventType", "modules") && + equals("log.product", "av") && + contains("log.restData", "real-time")) || + (equals("log.eventType", "Product ModulesStatus") && + oneOf("log.severity", ["4", "5"]) && + (contains("log.restData", "protection disabled") || + contains("log.restData", "real-time scanning disabled"))) +) +', '2026-02-09 16:28:47.155607', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.syslogHostIP"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (17, 'Rootkit Detection', 3, 3, 2, 'Defense Evasion', 'T1014 - Rootkit', 'Detects rootkit infections and kernel-level threats that attempt to hide malicious activity at the system level using Bitdefender GravityZone''s advanced detection capabilities. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Capture a memory dump and disk image for forensic analysis +3. Check for signs of privilege escalation or kernel-level modifications +4. Review system logs for any suspicious driver installations or kernel module loading +5. Scan other systems in the same network segment for similar infections +6. Consider rebuilding the system from a known clean state as rootkits can be difficult to fully remove +7. Review how the rootkit was initially delivered (email attachment, exploit kit, etc.) +8. Update all security software and operating system patches +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1014/"]', 'equals("log.eventType", "malware_detected") && +oneOf("log.severity", ["high", "critical"]) && +( + contains("log.restData", ["rootkit", "kernel", "tdss", "zeroaccess", + "necurs", "bootkit", "alureon", "rustock", "sinowal"]) || + contains("log.requested", "rootkit") || + equals("log.signatureID", "rootkit") +) +', '2026-02-09 16:28:47.296159', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.signatureID"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (18, 'Bitdefender GravityZone Suspicious Exclusion Added', 3, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when exclusions are added to Bitdefender GravityZone that may allow malware to operate undetected. Attackers often add exclusions to antivirus software to prevent detection of their malicious tools and activities. + +Next Steps: +1. Review the exclusion details to determine what files, folders, or processes were excluded +2. Verify if the exclusion was authorized by security team or IT administrators +3. Check if the excluded path contains any suspicious executables or scripts +4. Review recent activity from the user who added the exclusion +5. If unauthorized, immediately remove the exclusion and scan the excluded locations +6. Consider implementing a change control process for antivirus exclusions +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1562/001/"]', 'equals("log.eventType", "exclusion_added") || +(oneOf("log.eventType", ["policy_change", "configuration_change"]) && + contains("log.requested", "exclusion")) +', '2026-02-09 16:28:47.446530', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (192, 'AWS GuardDuty Detector Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html","https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"]', 'equals("log.eventSource", "guardduty.amazonaws.com") && +equals("log.eventName", "DeleteDetector") +', '2026-02-09 16:32:23.040735', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (19, 'USB-Based Malware Propagation', 3, 3, 2, 'Lateral Movement, Initial Access', 'T1091 - Replication Through Removable Media', 'Detects USB-based malware propagation attempts including autorun infections, removable media threats, and device control violations. This rule monitors for device control events and removable media access patterns that may indicate malware attempting to spread via USB devices. + +Next Steps: +1. Isolate the affected endpoint immediately to prevent further spread +2. Check device control logs for unauthorized USB device connections +3. Scan all removable media that were connected to the affected system +4. Review file creation/modification events on removable drives (especially autorun.inf) +5. Verify if similar events occurred on other endpoints in the network +6. Update device control policies to restrict USB usage if necessary +7. Consider implementing USB device whitelisting for critical systems +', '["https://attack.mitre.org/techniques/T1091/","https://www.bitdefender.com/business/support/en/77209-135324-event-types.html"]', '(oneOf("log.eventType", ["device-control", "dp"]) && + (contains("log.restData", ["malware", "threat", "infection", "autorun", "suspicious"]) || + oneOf("log.severity", ["high", "critical", "4", "5"]))) || +(contains("log.requested", ["usb", "removable", "autorun"]) && + contains("log.restData", ["malware", "threat", "infection"])) +', '2026-02-09 16:28:47.571150', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-bitdefender-gz-*","with":[{"field":"log.hostId","operator":"filter_term","value":"{{log.hostId}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.eventType","lastEvent.log.hostId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (20, 'Bitdefender GravityZone Zero-Day Malware Detection', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects potential zero-day malware identified by Bitdefender''s advanced threat detection capabilities including HyperDetect and Sandbox Analyzer. These detection methods use behavioral analysis and machine learning to identify previously unknown threats. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Review the detection details including file path, process information, and threat indicators +3. Check if similar detections occurred on other systems in the environment +4. Collect the suspicious file/process for further analysis in a sandbox environment +5. Review system logs for any suspicious activities before and after the detection +6. Update security policies to block similar threats across the organization +7. Consider submitting the sample to Bitdefender for further analysis +', '["https://www.bitdefender.com/business/support/en/77212-237089-event-types.html","https://attack.mitre.org/techniques/T1203/"]', 'oneOf("log.eventType", ["HyperDetect Activity", "Sandbox Analyzer Detection", "hyperdetect"]) || +(equals("log.eventType", "avc") && equals("log.severity", "High")) +', '2026-02-09 16:28:47.700896', true, false, 'origin', null, '[]', '["lastEvent.log.hostId","lastEvent.log.syslogHostIP"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (21, 'Advanced Threat Tactic Identification', 3, 3, 3, 'Advanced Persistent Threat', 'Multiple Tactics', 'Detects advanced threat tactics including initial access, execution, and persistence techniques by monitoring deception environment interactions and behavioral patterns. This rule triggers when deceptive assets are accessed with high behavior scores indicating sophisticated attack patterns. + +Next Steps: +1. Immediately isolate the affected endpoint(s) associated with the source IP +2. Review the specific tactic name to understand the attack phase (initial access, execution, persistence, etc.) +3. Check all deception assets that were triggered to map the attacker''s movement +4. Analyze the behavior score details to understand the sophistication level +5. Look for related alerts from the same source IP across different systems +6. Collect forensic data from the endpoint before any remediation +7. Review authentication logs for any credential abuse from this source +8. Check network logs for lateral movement attempts +9. Update security controls to block the identified tactics +10. Consider deploying additional deception assets in the path of the attacker +', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/tactics/TA0002/","https://attack.mitre.org/tactics/TA0003/"]', 'equals("log.eventType", "advanced_threat_detected") && +equals("log.threatLevel", "critical") && +(oneOf("log.tacticName", ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion"])) && +equals("log.deceptionTriggered", true) && +greaterOrEqual("log.behaviorScore", 80) +', '2026-02-09 16:28:47.842316', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.tacticName","operator":"filter_term","value":"{{log.tacticName}}"}],"or":null,"within":"now-15m","count":3}]', '["lastEvent.log.tacticName","lastEvent.log.threatLevel","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (22, 'Criminal Group Signatures', 3, 3, 2, 'Organized Crime Activity', 'Criminal Group TTPs', 'Identifies attack signatures and behavioral patterns associated with known criminal groups including ransomware operators, financial crime syndicates, and organized cybercrime operations. Deception technology detects malicious activity by monitoring interactions with decoy assets that should never be accessed in legitimate workflows. + +Next Steps: +1. IMMEDIATE: Isolate the affected endpoint to prevent lateral movement +2. Verify the criminal group signature or toolset identified in the alert details +3. Check if the source IP/domain appears in threat intelligence feeds or previous incidents +4. Review all activity from the affected endpoint in the last 24-48 hours +5. Search for indicators of lateral movement or data staging activities +6. Scan other endpoints for similar patterns or IoCs +7. If ransomware indicators are present, activate ransomware response playbook +8. Collect forensic evidence: process creation logs, network connections, file modifications +9. Check for data exfiltration attempts to external IPs or cloud services +10. Review all user account activity associated with the endpoint for signs of compromise +11. Document all findings and coordinate with incident response team +12. Consider threat hunting across the environment for related criminal group activities +', '["https://attack.mitre.org/groups/","https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf","https://www.acalvio.com/cyber-deception/the-role-of-deception-technology-in-the-endpoint-security-reference-architecture/","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"]', 'oneOf("log.eventType", ["threat_detected", "deception_triggered", "malicious_activity"]) && +oneOf("log.threatType", ["criminal_group", "ransomware", "organized_crime"]) && +(exists("log.signature") || exists("log.toolset") || exists("log.groupName")) && +(oneOf("log.action", ["blocked", "detected", "prevented"]) || + oneOf("log.severity", ["high", "critical"])) && +(oneOf("log.indicatorType", ["ransomware", "financial_theft", "cryptomining", "data_exfiltration"]) || + greaterOrEqual("log.threatScore", 70)) +', '2026-02-09 16:28:47.971185', true, false, 'origin', null, '[]', '["lastEvent.log.groupName","lastEvent.log.signature","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (23, 'Data Theft Attempt on Decoy Files', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects attempts to access, copy, or exfiltrate deceptive decoy files and honeypot data, indicating potential data theft activities by an attacker. This rule triggers when an attacker interacts with high-sensitivity decoy files planted by Deceptive Bytes. + +Next Steps: +- Immediately isolate the affected endpoint to prevent lateral movement +- Review the source IP and user account for suspicious activity patterns +- Check for other decoy interactions from the same source in the past 24 hours +- Examine network traffic logs for potential data exfiltration attempts +- Verify if the user account has been compromised or if this is insider threat activity +- Consider resetting credentials for the affected user account +- Document all decoy files accessed for forensic analysis +', '["https://attack.mitre.org/techniques/T1005/","https://attack.mitre.org/techniques/T1567/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "decoy_accessed") && +oneOf("log.action", ["file_read", "file_copy", "file_download"]) && +equals("log.decoy_sensitivity", "high") +', '2026-02-09 16:28:48.101258', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.event_type","operator":"filter_term","value":"decoy_accessed"}],"or":null,"within":"now-2h","count":3}]', '["lastEvent.log.decoy_file","adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (786, 'Windows: Volume Shadow Copy Deletion via WMIC', 1, 2, 3, 'Impact', 'T1490 - Inhibit System Recovery', 'Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1490/"]', 'regexMatch("log.message", "(delete(.+)shadowcopy|shadowcopy(.+)delete)") && contains("log.eventDataProcessName", "WMIC.exe")', '2026-02-09 16:57:43.422219', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (25, 'Deception Token Access Patterns', 3, 3, 1, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts: Credential Access', 'Detects when deception tokens or honeytokens are accessed, indicating potential unauthorized activity or insider threat. Multiple token accesses from the same source within a short timeframe suggest systematic reconnaissance or data harvesting attempts. Honeytokens are fake credentials or access tokens planted as traps to detect unauthorized access. + +Next Steps: +1. Identify the source IP and user account associated with the token access +2. Review access logs to determine if this is legitimate testing or actual malicious activity +3. Check for lateral movement from the same source IP across the network +4. Investigate any data access or exfiltration attempts following the token access +5. Consider immediately blocking the source IP if confirmed malicious +6. Review and rotate any potentially compromised credentials in the environment +7. Alert security team immediately as honeytoken access is a high-confidence indicator of compromise +8. Document the incident and update detection rules based on observed attack patterns +9. Verify the integrity of the deception infrastructure to ensure it wasn''t compromised +', '["https://attack.mitre.org/techniques/T1078/","https://deceptivebytes.com/"]', 'equals("log.eventType", "token_access") && +equals("log.deceptionType", "honeytoken") && +exists("origin.ip") && +oneOf("log.severity", ["high", "critical"]) +', '2026-02-09 16:28:48.366791', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"token_access"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.tokenId","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (26, 'Decoy Share Access Monitoring', 3, 2, 1, 'Discovery', 'T1135 - Network Share Discovery', 'Detects when an attacker attempts to access decoy network shares set up by Deceptive Bytes. This indicates potential lateral movement or reconnaissance activity within the network. Any interaction with decoy shares is a high-confidence indicator of malicious activity since legitimate users should never access these resources. + +Next Steps: +- Immediately investigate the source IP and verify if it belongs to an authorized user or system +- Check for other suspicious activities from the same source IP in the last 24-48 hours +- Review authentication logs to identify any compromised credentials associated with this IP +- Look for lateral movement attempts or privilege escalation from the same source +- Consider isolating the source system if it shows signs of compromise +- Document all accessed decoy resources for threat intelligence purposes +- Update security controls to block or monitor the attacker''s techniques +', '["https://attack.mitre.org/techniques/T1135/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "decoy_access") && equals("log.resourceType", "network_share") && exists("origin.ip")', '2026-02-09 16:28:48.496984', true, false, 'origin', '["adversary.ip","lastEvent.log.resourceType"]', '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"decoy_access"},{"field":"log.resourceType","operator":"filter_term","value":"network_share"}],"or":null,"within":"now-30m","count":3}]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (27, 'Decoy System Enumeration', 3, 2, 1, 'Discovery', 'T1082 - System Information Discovery', 'Detects when an attacker performs system enumeration activities on decoy systems or services. This includes port scanning, service discovery, or system information gathering on deception assets. + +Next Steps: +- Immediately investigate the source IP address for other suspicious activities +- Check if the source IP has attempted to access other decoy or real systems +- Review network logs for lateral movement attempts from this source +- Consider blocking the source IP if malicious intent is confirmed +- Document the attack pattern for threat intelligence sharing +- Verify if the attacker has discovered any real assets alongside decoys +', '["https://attack.mitre.org/techniques/T1082/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "system_enumeration") && +(equals("log.isDecoy", true) || equals("log.isDecoy", "true")) && +oneOf("log.action", ["port_scan", "service_discovery", "system_info"]) && +exists("origin.ip") +', '2026-02-09 16:28:48.646238', true, false, 'origin', '["adversary.ip","lastEvent.log.targetHost","lastEvent.log.decoyName"]', '[]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (28, 'Fake User Authentication Attempts', 3, 3, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects authentication attempts using decoy user accounts created by Deceptive Bytes. This indicates an attacker has obtained what they believe are valid credentials and is attempting to use them. + +Next Steps: +- Immediately investigate the source IP address for other suspicious activities +- Check if the same IP has triggered other deception alerts or security events +- Review how the attacker obtained the decoy credentials (phishing, credential dumping, insider threat) +- Examine network logs for lateral movement attempts from this IP +- Consider blocking the source IP if confirmed malicious +- Check for any legitimate user accounts that may have been compromised +- Review authentication logs for attempts using real credentials from the same source +- Notify the security team for potential active breach investigation +', '["https://attack.mitre.org/techniques/T1110/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "authentication") && equals("log.isDecoyUser", true) && exists("log.authResult") && exists("origin.ip")', '2026-02-09 16:28:48.776477', true, false, 'origin', null, '[]', '["lastEvent.log.username","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (29, 'Honey Table Query Detection', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects when an attacker queries honey tables or decoy database objects deployed by Deceptive Bytes. This indicates potential data exfiltration attempts or database reconnaissance. Honey tables are deliberately placed decoy data designed to attract and identify unauthorized access attempts. + +Next Steps: +1. Identify the source IP and determine if it''s an internal or external address +2. Check if the source IP has accessed other decoy resources or legitimate database tables +3. Review the specific honey table(s) that were queried to understand attacker interest +4. Correlate with authentication logs to identify the user account used +5. Check for any data exfiltration patterns following the honey table access +6. Isolate the compromised system or account if malicious activity is confirmed +7. Review database access logs for unauthorized queries to legitimate tables +8. Consider blocking the source IP if it''s external and confirmed malicious +9. Document the incident and update security monitoring rules if needed +', '["https://attack.mitre.org/techniques/T1005/","https://deceptivebytes.com/solution/"]', 'equals("log.eventType", "decoy_access") && equals("log.resourceType", "database_table") && equals("log.action", "query") && exists("origin.ip")', '2026-02-09 16:28:48.911903', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.eventType","operator":"filter_term","value":"decoy_access"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.tableName","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (30, 'Lateral Movement Trap Triggered', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects when an attacker triggers a deceptive trap while attempting lateral movement across the network. This indicates potential compromise and active threat movement within the environment. + +Next Steps: +1. Immediately isolate the source IP address to prevent further lateral movement +2. Review all activities from the source IP in the last 24-48 hours +3. Check if the source system shows signs of compromise (unusual processes, new services, etc.) +4. Identify what credentials or methods were used in the lateral movement attempt +5. Review network logs for any successful connections from this source to other systems +6. Initiate incident response procedures for potential active threat +7. Consider deploying additional deception tokens around critical assets +', '["https://attack.mitre.org/techniques/T1021/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "trap_triggered") && equals("log.trap_type", "lateral_movement") && exists("origin.ip")', '2026-02-09 16:28:49.282062', true, false, 'origin', null, '[]', '["lastEvent.log.trap_type","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (49, 'Suspicious Process Behavior Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects suspicious process behaviors including injection attempts, privilege escalation, and abnormal process creation patterns identified by ESET''s behavioral monitoring. This alert indicates potential malware activity or exploitation attempts on the affected system. + +Next Steps: +1. Immediately review the alert details to identify: + - Affected hostname (check log.headHostname) + - Specific threat or behavior detected (check log.jsonMessage) + - Process name and path if available + - Time of detection (check log.deviceTime) +2. Investigate the process that triggered the alert: + - Verify if it''s a legitimate application or unknown/suspicious + - Check process creation chain and parent-child relationships + - Review file hash against threat intelligence sources +3. Check for related security events: + - Look for other ESET alerts from the same host + - Search for network connections from the suspicious process + - Review authentication events around the same timeframe +4. Containment actions if malicious: + - Isolate the affected host from the network + - Kill the suspicious process if still running + - Preserve forensic evidence (memory dump, logs) +5. Remediation steps: + - Run full antivirus scan on the affected system + - Check for persistence mechanisms (registry, scheduled tasks) + - Update ESET signatures and perform system hardening +6. Prevention measures: + - Review and update application control policies + - Ensure ESET real-time protection is enabled + - Consider implementing application whitelisting +', '["https://help.eset.com/ees/12/en-US/idh_dialog_epfw_ids_alert.html","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.msgType", ["EnterpriseInspectorAlert_Event", "HIPS_Event"]) && +exists("log.jsonMessage") && +contains("log.jsonMessage", ["Process injection", "Suspicious behavior", + "Anomalous process", "blocked", "terminated", "prevented"]) +', '2026-02-09 16:28:51.996232', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","lastEvent.log.msgType"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (31, 'Nation-State Tactic Detection', 3, 3, 3, 'Advanced Persistent Threat', 'T1595 - Active Scanning / Nation-State Attack Patterns', 'Detects sophisticated attack patterns and techniques commonly associated with nation-state actors including advanced persistence mechanisms, custom tooling, and strategic lateral movement. + +Next Steps: +1) Immediately isolate affected systems and preserve forensic evidence +2) Review all decoy interactions and identify compromised credentials +3) Check for lateral movement attempts from the source IP across all systems +4) Analyze custom tools or malware samples if detected +5) Engage incident response team for potential APT activity +6) Review network traffic for command & control communications +7) Implement enhanced monitoring on high-value targets identified in the attack +', '["https://attack.mitre.org/groups/","https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats"]', 'oneOf("log.event_type", ["decoy_interaction", "honeypot_access", "deception_triggered"]) && +equals("log.threat_level", "critical") && +(equals("log.attack_sophistication", "advanced") || greaterOrEqual("log.threat_score", 85)) && +(equals("log.apt_indicators", true) || + equals("log.custom_malware", true) || + equals("log.advanced_ttps", true) || + greaterThan("log.targeted_decoys", 1) || + equals("log.persistence_attempt", true)) +', '2026-02-09 16:28:49.375846', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (32, 'Living Off The Land Attack Using Deceptive Resources', 3, 3, 2, 'Defense Evasion', 'T1218 - Signed Binary Proxy Execution', 'Detects when attackers use legitimate system tools and binaries to interact with deceptive resources, indicating Living Off The Land (LOLBins) attack techniques. This is a high-confidence indicator of malicious activity as legitimate users should not be accessing deceptive resources with system binaries. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Review the process execution chain to identify the parent process and any child processes +3. Check if the user account is compromised by reviewing recent authentication logs +4. Examine command line arguments and scripts executed by the LOLBin +5. Search for other deceptive resource interactions from the same user or system +6. Collect memory dump if possible for forensic analysis +7. Review network connections made by the process for C2 communication +8. Check for persistence mechanisms (scheduled tasks, registry modifications, services) +', '["https://attack.mitre.org/techniques/T1218/","https://attack.mitre.org/techniques/T1053/","https://lolbas-project.github.io/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "lolbin_trap") && oneOf("log.process_name", ["powershell.exe", "cmd.exe", "wmic.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]) && exists("log.deceptive_target")', '2026-02-09 16:28:49.511077', true, false, 'origin', null, '[]', '["lastEvent.log.deceptive_target","adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (33, 'Privilege Escalation Bait Accessed', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects when an attacker accesses deceptive privileged account baits or attempts to escalate privileges using trapped credentials, indicating active exploitation attempts. This is a high-priority alert as it indicates an active attacker who has progressed beyond initial access and is attempting to gain elevated privileges. + +Next Steps: +- Immediately isolate the affected system to prevent lateral movement +- Review authentication logs for the source IP and user account to identify scope of compromise +- Check for other deception bait interactions from the same source in the past 24 hours +- Investigate any legitimate user activity that may have been compromised +- Collect forensic data from the endpoint including running processes and network connections +- Review SIEM/EDR alerts for related suspicious activities from the same source +- Document the attacker''s TTPs for threat intelligence sharing +- Consider resetting credentials for any accounts that may have been exposed +- Update firewall rules to block the attacker''s source IP if confirmed malicious +', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1078/","https://www.checkpoint.com/cyber-hub/cyber-security/what-is-deception-technology/"]', 'equals("log.event_type", "bait_accessed") && +equals("log.bait_type", "privileged_account") && +oneOf("log.target_privilege", ["admin", "system", "administrator"]) +', '2026-02-09 16:28:49.605982', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (34, 'Ransomware Behavior Detected in Deception Environment', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware-like behavior patterns when attackers interact with deceptive files, including rapid file enumeration, encryption attempts, and ransom note creation in the Deceptive Bytes deception environment. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent ransomware spread +2. Check the process name and path identified in the alert for known ransomware indicators +3. Review file system activity from the same process for encryption patterns +4. Check for shadow copy deletion attempts (vssadmin, wmic shadowcopy delete) +5. Look for network connections to potential C2 servers from the identified process +6. Preserve forensic evidence and memory dumps if possible +7. Verify if this is a deception environment interaction or production system compromise +8. Check for lateral movement attempts from the source IP address +9. Review backup integrity and availability before any restoration attempts +', '["https://attack.mitre.org/techniques/T1486/","https://attack.mitre.org/techniques/T1490/","https://deceptivebytes.com/solution/"]', 'equals("log.event_type", "ransomware_behavior") && +oneOf("log.behavior_pattern", ["mass_encryption", "file_enumeration", "ransom_note_drop"]) +', '2026-02-09 16:28:49.721539', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"log.process","operator":"filter_term","value":"{{log.process}}"},{"field":"log.source_ip","operator":"filter_term","value":"{{log.source_ip}}"}],"or":null,"within":"now-15m","count":10}]', '["lastEvent.log.hostname","lastEvent.log.process"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (35, 'Threat Actor Attribution', 2, 2, 2, 'Threat Intelligence', 'T1583 - Acquire Infrastructure', 'Correlates observed attack patterns, tools, techniques, and infrastructure with known threat actor profiles to provide attribution intelligence and identify potential threat actors based on high-confidence indicators. + +Next Steps: +1. Review the attributed threat actor profile and historical campaigns for context +2. Analyze the specific TTPs (Tactics, Techniques, and Procedures) that triggered the attribution +3. Check for related activity from the same actor across other systems or time periods +4. Correlate with threat intelligence feeds to validate attribution confidence +5. Document observed infrastructure and tooling for future threat hunting +6. Consider implementing specific detections for this actor''s known techniques +7. Share attribution indicators with security teams for enhanced monitoring +8. Escalate to incident response team if high-profile threat actor is identified +', '["https://attack.mitre.org/groups/","https://malpedia.caad.fkie.fraunhofer.de/"]', 'equals("log.eventType", "threat_attribution") && +greaterOrEqual("log.attributionConfidence", 70) && +exists("log.actorProfile") && +equals("log.deceptionTriggered", true) && +(greaterOrEqual("log.ttpsMatched", 3) || + equals("log.infrastructureMatch", true) || + exists("log.toolingFingerprint")) && +equals("log.historicalCampaignMatch", true) +', '2026-02-09 16:28:49.841808', true, false, 'origin', null, '[]', '["lastEvent.log.actorProfile","lastEvent.log.campaignId","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (36, 'Zero-Day Behavior Patterns Detection', 3, 3, 3, 'Defense Evasion', 'T1211 - Exploitation for Defense Evasion', 'Identifies potential zero-day exploits and unknown malware through abnormal behavior patterns, deception interactions, and anomaly detection in endpoint activities. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Capture memory dumps and process information for forensic analysis +3. Check for similar behavioral anomalies on other endpoints in the same network segment +4. Review the exploit technique and process chain to understand the attack vector +5. Submit samples to threat intelligence platforms for analysis +6. Update security controls based on the identified exploit patterns +7. Document all IOCs (file hashes, network connections, process behaviors) for threat hunting +', '["https://attack.mitre.org/techniques/T1211/","https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1620/"]', 'oneOf("log.eventType", ["unknown_threat", "behavioral_anomaly", "zero_day_suspect"]) && +equals("log.threatSignature", "unknown") && +equals("log.deceptionEnvironment", true) && +( + (greaterOrEqual("log.memoryAnomalyScore", 90)) || + (greaterOrEqual("log.processChainAnomalyScore", 85)) || + (greaterOrEqual("log.networkBehaviorScore", 88)) || + (greaterOrEqual("log.fileSystemAnomalyScore", 92)) +) && +equals("log.knownMalwareFamily", "") && +exists("log.exploitTechnique") +', '2026-02-09 16:28:49.976711', true, false, 'origin', null, '[{"indexPattern":"v11-log-deceptive-bytes-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.processName","operator":"filter_term","value":"{{log.processName}}"}],"or":null,"within":"now-30m","count":2}]', '["lastEvent.log.exploitTechnique","lastEvent.log.processHash","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (37, 'Advanced Heuristic Detection Triggers', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects when ESET''s advanced heuristic engine identifies suspicious behavior patterns that may indicate novel malware or zero-day threats. These detections use DNA signatures and behavioral analysis. + +Next Steps: +- Review the affected hostname and user context to understand the scope +- Check the process name (if available) that triggered the detection +- Verify if the action taken (cleaned/deleted/quarantined) was successful +- Look for related alerts from the same host within the past 24 hours +- If multiple hosts show similar detections, investigate potential lateral movement +- Consider isolating the affected system if threat persists +- Review ESET console link (if available) for detailed threat information +- Check file hash against threat intelligence databases if available +- Capture and analyze the malicious file sample if quarantined +- Review system logs for any unusual activities before and after detection +- Update ESET signatures and run a full system scan +', '["https://help.eset.com/eea/8/en-US/idh_config_threat_sense.html","https://attack.mitre.org/techniques/T1055/"]', 'oneOf("log.msgType", ["EnterpriseInspectorAlert_Event", "threat_event", "FirewallAggregatedAlert_Event"]) && +contains("log.jsonMessage", ["heuristic", "NewHeur", "suspicious behavior"]) && +contains("log.jsonMessage", ["cleaned", "deleted", "quarantined", "blocked"]) +', '2026-02-09 16:28:50.121137', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-30m","count":3}]', '["lastEvent.log.headHostname","lastEvent.log.msgType"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (38, 'ESET Botnet Communication Detection', 3, 3, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects attempts to communicate with known botnet command and control servers. ESET identifies typical communication patterns when a computer is infected and a bot is attempting to communicate with malicious C2 infrastructure. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent further C2 communication +2. Check the hostname (log.headHostname) to identify the affected system +3. Review the full log message content (log.jsonMessage) for additional threat details including target IPs and processes +4. Review process activity on the affected host to identify the malicious process +5. Scan the system with ESET for complete malware removal +6. Check other systems in the network for similar C2 communication attempts +7. Update firewall rules to block any identified C2 server IPs found in the logs +8. Consider reimaging the system if the infection persists +9. Review ESET logs for the time period around this detection to identify related malicious activity +', '["https://www.eset.com/us/botnet/","https://support.eset.com/en/kb7487-resolve-the-incomingattackgeneric-or-botnetcncgeneric-network-protection-alert","https://attack.mitre.org/techniques/T1071/"]', 'contains("log.jsonMessage", ["Botnet", "CnC.Generic", "botnet", "C&C", "command and control"]) && +exists("log.headHostname") +', '2026-02-09 16:28:50.326726', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","lastEvent.log.jsonMessage"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (39, 'ESET Agent Disabled or Tampered', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the ESET security agent is disabled, uninstalled, or tampered with. This is a critical defense evasion indicator as attackers commonly disable endpoint protection before executing their payload. + +Next Steps: +1. Immediately investigate the affected endpoint +2. Determine who or what process disabled the agent +3. Check for concurrent malicious activity on the endpoint +4. Reinstall and re-enable the ESET agent +5. Review the endpoint for malware or unauthorized software +6. Check if similar tampering occurred on other endpoints +', '["https://help.eset.com/ees/8/en-US/idh_config_era_agent.html","https://attack.mitre.org/techniques/T1562/001/"]', '(regexMatch("log.message", "(?i)(eset|ekrn|egui|agent)") && + regexMatch("log.message", "(?i)(disabled|stopped|uninstalled|removed|tampered|terminated)")) || +(contains("log.message", "protection status") && contains("log.message", "disabled")) || +(contains("log.message", "agent") && contains("log.message", "not responding")) || +(equals("log.eventType", "AGENT_EVENT") && contains("log.message", "removed")) +', '2026-02-09 16:28:50.486216', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (40, 'ESET ERA/ESMC Console Suspicious Activity', 3, 3, 2, 'Lateral Movement', 'T1072 - Software Deployment Tools', 'Detects suspicious activity on the ESET ERA/ESMC management console including unauthorized policy changes, mass task deployments, or admin account modifications that could indicate console compromise. + +Next Steps: +1. Verify the admin account performing console operations +2. Review recent policy changes and task deployments +3. Check admin login history for unauthorized access +4. Verify the content of any pushed policies or tasks +5. Suspend suspicious admin accounts +6. Audit endpoints affected by recent console changes +', '["https://help.eset.com/esmc_admin/70/en-US/","https://attack.mitre.org/techniques/T1072/"]', '(contains("log.message", "policy") && + (contains("log.message", "modified") || contains("log.message", "assigned") || + contains("log.message", "created"))) || +(contains("log.message", "client task") && + (contains("log.message", "executed") || contains("log.message", "deployed"))) || +(contains("log.message", "administrator") && + ((contains("log.message", "created") || contains("log.message", "modified")) || + (contains("log.message", "login") && contains("log.message", "failed")))) +', '2026-02-09 16:28:50.647197', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.headHostname","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (41, 'ESET Repeated Quarantine Failures', 2, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects repeated quarantine failures in ESET, which may indicate malware actively resisting quarantine through file locks, permission manipulation, or rapid re-creation of malicious files. + +Next Steps: +1. Identify the specific file or threat that cannot be quarantined +2. Check the file permissions and processes locking the file +3. Attempt manual quarantine or deletion in safe mode +4. Review the malware''s persistence mechanisms +5. Consider isolating the endpoint for manual remediation +6. Run a boot-time scan if available +', '["https://help.eset.com/ees/8/en-US/","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.message", "quarantine") && + (contains("log.message", "failed") || contains("log.message", "error") || + contains("log.message", "unable") || contains("log.message", "denied"))) || +(contains("log.message", "clean") && contains("log.message", "failed") && + contains("log.message", "threat")) +', '2026-02-09 16:28:50.806501', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-esmc-eset-*","with":[{"field":"log.headHostname","operator":"filter_term","value":"{{log.headHostname}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.headHostname","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (42, 'ESET Exploit Detection Alert', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects when ESET''s Exploit Blocker identifies and blocks exploitation attempts targeting vulnerabilities in commonly exploited applications such as browsers, document readers, email clients, Flash, and Java. + +Next Steps: +1. Identify the affected host and the specific exploit attempt details +2. Check for any successful exploitation attempts on the same host +3. Review process execution logs for suspicious activity following the exploit attempt +4. Verify that the exploit was successfully blocked and no compromise occurred +5. Update the vulnerable application if a patch is available +6. Consider isolating the host if exploitation may have succeeded +', '["https://www.eset.com/us/about/technology/","https://attack.mitre.org/techniques/T1068/"]', '(contains("log.jsonMessage", "exploit") || + oneOf("log.msgType", ["Exploit_Blocked", "Exploit"])) && +equals("actionResult", "blocked") && +oneOf("log.severity", ["medium", "high"]) +', '2026-02-09 16:28:50.965988', true, false, 'origin', null, '[]', '["lastEvent.log.jsonMessage","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (43, 'ESET Host Intrusion Prevention System Triggered', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects when ESET''s Host-based Intrusion Prevention System (HIPS) blocks suspicious behavior, including process manipulation, registry modifications, and file system changes that indicate potential malware activity. HIPS events indicate active attempts to compromise system integrity through various attack techniques. + +Next Steps: +1. Review the blocked process or action details in the ESET console +2. Identify the source application attempting the blocked behavior +3. Check if the blocked action is from legitimate software (false positive) +4. If malicious, isolate the affected system and perform full malware scan +5. Review system logs for any successful compromise attempts before HIPS activation +6. Update HIPS rules if necessary to prevent similar attacks +7. Check for persistence mechanisms on the affected host +8. Review network connections from the suspicious process if applicable +', '["https://help.eset.com/ees/8/en-US/idh_hips_main.html","https://attack.mitre.org/techniques/T1055/"]', 'equals("log.actionResult", "HIPS_Event") && equals("log.action", "blocked") && oneOf("log.severity", ["medium", "high"])', '2026-02-09 16:28:51.125733', true, false, 'origin', null, '[]', '["lastEvent.log.objectname","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (44, 'Machine Learning Detection Anomalies', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Identifies threats detected by ESET''s machine learning engine that analyzes file behavior patterns and characteristics to identify previously unknown malware variants. Machine learning detection indicates advanced malware that may evade signature-based detection methods. + +Next Steps: +- Immediately investigate the affected host for signs of compromise +- Review the threat details in the log message to understand the malware type and behavior +- Check if the malware was successfully blocked or quarantined +- Look for similar detections across other hosts in your environment +- Consider isolating the affected system if the threat was not successfully contained +- Review process activity around the time of detection for suspicious behavior +- Collect and analyze the malware sample if available for threat intelligence +- Update security policies to prevent similar threats +- Check for any data exfiltration or lateral movement attempts from the affected host +', '["https://help.eset.com/protect_admin/11.0/en-US/events-exported-to-json-format.html","https://attack.mitre.org/techniques/T1204/002/"]', 'contains("log.message", "machine learning") && +contains("log.message", ["threat", "detected", "found"]) && +exists("log.msgType") && +exists("log.headHostname") +', '2026-02-09 16:28:51.285844', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (45, 'ESET Network Attack Detection', 3, 2, 1, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects network-based attacks and exploits blocked by ESET''s Network Attack Protection (IDS). This includes attempts to exploit known vulnerabilities in network services and protocols. + +Next Steps: +1. Review the attack details in ESET console to identify the specific vulnerability or attack pattern +2. Check if the source IP is known malicious using threat intelligence sources +3. Verify if other systems received similar attacks from the same source +4. Review firewall logs for additional suspicious activity from the source IP +5. Consider blocking the source IP at the perimeter firewall if attacks persist +6. Update network security policies and ensure all systems are patched +', '["https://help.eset.com/ees/7/en-US/idh_config_epfw_network_attack_protection.html","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.event_type", "NetworkProtection_Event") && +equals("log.action", "blocked") && +exists("origin.ip") +', '2026-02-09 16:28:51.445944', true, false, 'origin', null, '[]', '["adversary.ip","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (46, 'Suspicious Encrypted File Activity', 3, 3, 2, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects suspicious encrypted file activities that may indicate ransomware encryption attempts or unauthorized file encryption operations. This rule triggers when ESET detects ransomware-related threats or file encryption activities. + +Next Steps: +1. Immediately isolate the affected system to prevent spread +2. Check if backup systems are accessible and uncompromised +3. Review the threat details in log.jsonMessage for specific ransomware variant +4. Look for other systems showing similar encryption patterns +5. Preserve forensic evidence before remediation +6. Consider engaging incident response team for ransomware cases +7. Do not power off the system if encryption is in progress +', '["https://attack.mitre.org/techniques/T1486/","https://help.eset.com/protect_admin/10.1/en-US/events-exported-to-json-format.html"]', 'equals("log.msgType", "Threat_Event") && +contains("log.jsonMessage", ["ransomware", "filecoder", "encrypted", ".encrypted"]) +', '2026-02-09 16:28:51.606002', true, false, 'origin', null, '[]', '["lastEvent.log.msgType","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (47, 'Registry Modification Attempts Blocked', 2, 3, 2, 'Defense Evasion, Persistence', 'T1112 - Modify Registry', 'Identifies attempts to modify critical Windows registry keys that were blocked by ESET, indicating potential persistence or system tampering attempts. Registry modifications are a common technique used by malware to establish persistence, disable security features, or alter system behavior. + +Next Steps: +1. Review the blocked action details to understand what registry key was targeted +2. Investigate the source process and user account involved in the attempt +3. Check for other security events from the same host around the same time +4. Verify if this is legitimate administrative activity or potential malicious behavior +5. If suspicious, isolate the affected system and perform a full malware scan +6. Review system logs for any successful registry modifications before the block occurred +', '["https://help.eset.com/esmc_admin/70/en-US/events-exported-to-json-format.html","https://attack.mitre.org/techniques/T1112/"]', 'exists("log.jsonMessage") && +contains("log.jsonMessage", "registry") && +oneOf("log.action", ["blocked", "denied", "prevented"]) && +oneOf("log.severity", ["high", "medium"]) +', '2026-02-09 16:28:51.765946', true, false, 'origin', null, '[]', '["lastEvent.log.action","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (48, 'ESET Blocked Suspicious PowerShell Activity', 3, 3, 1, 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'Detects when ESET blocks suspicious PowerShell commands or scripts that exhibit malicious behavior patterns, including obfuscated scripts, encoded commands, or attempts to bypass execution policies. This is a high-priority security event that indicates potential malicious activity was prevented. + +Next Steps: +1. Review the blocked PowerShell command details in the log message +2. Identify the user account and process that attempted to execute PowerShell +3. Check if this is part of legitimate administrative activity or scripting +4. Investigate the source of the PowerShell execution (parent process, script location) +5. Look for other suspicious activities from the same host or user +6. Consider isolating the affected system if malicious intent is confirmed +7. Review and update PowerShell execution policies if needed +', '["https://help.eset.com/ees/8/en-US/idh_hips_main.html","https://attack.mitre.org/techniques/T1059/001/"]', 'regexMatch("log.message", "(?i)(powershell|pwsh)") && equals("log.action", "blocked") && exists("log.headHostname")', '2026-02-09 16:28:51.906284', true, false, 'origin', null, '[]', '["lastEvent.log.headHostname","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (50, 'Code Injection Attempt Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects attempts to inject malicious code into legitimate processes. This technique is commonly used by malware to evade detection and gain elevated privileges by running within trusted processes. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Identify the source process that attempted the injection +3. Check if the malware was successfully quarantined or if manual removal is needed +4. Review system logs for any suspicious activities around the same timeframe +5. Scan the system with updated antivirus definitions +6. Check for persistence mechanisms (scheduled tasks, registry keys, services) +7. Review network connections from the affected host for C2 communications +8. Consider reimaging the system if critical processes were compromised +', '["https://attack.mitre.org/techniques/T1055/","https://support.kaspersky.com/KESWin/11/en-us/151065.htm"]', '(equals("log.signatureID", "3") || equals("log.cs1", "DETECT")) && +(regexMatch("log.cefMsg", "(?i).*(inject|injection|CreateRemoteThread|SetWindowsHookEx|WriteProcessMemory).*") || + contains("log.cs4", ["inject", "hooking", "trojan", "backdoor"]) || + contains("log.action", ["terminate", "delete", "quarantine"])) && +(contains("log.cefMsg", ["lsass", "csrss", "winlogon", "services", "svchost", "explorer"]) || + contains("log.cefMsgAll", "process")) +', '2026-02-09 16:29:46.566557', true, false, 'origin', null, '[]', '["lastEvent.log.cs3","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (51, 'Kaspersky Command and Control Communication Detection', 3, 3, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects potential command and control (C2) communication attempts identified by Kaspersky, including suspicious outbound connections, malware callbacks, and botnet communication patterns. This rule triggers when Kaspersky identifies network threats related to botnet activity, C2 communications, or malware beaconing that was not successfully blocked. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent further C2 communication +2. Review the target IP address against threat intelligence feeds to confirm malicious activity +3. Check if other systems have communicated with the same C2 server +4. Analyze the process or malware that initiated the connection +5. Review Kaspersky logs for additional context about the threat +6. Perform a full system scan and forensic analysis on the affected machine +7. Update antivirus signatures and ensure real-time protection is enabled +8. Consider reimaging the system if compromise is confirmed +', '["https://attack.mitre.org/techniques/T1071/","https://support.kaspersky.com/KLMS/8.2/en-US/151504.htm"]', '(contains("log.cs2", ["Bot", "bot", "C2", "Command", "command"]) || + contains("log.message", ["callback", "beacon"]) || + equals("log.cat", "NetworkThreat")) && +exists("target.ip") && +!equals("action", "blocked") +', '2026-02-09 16:29:46.705948', true, false, 'origin', null, '[]', '["adversary.host","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (52, 'Kaspersky Critical Object Detection', 3, 3, 2, 'Execution', 'T1204 - User Execution: Malicious File', 'Detects when Kaspersky identifies critical threats including malware, trojans, or other dangerous objects that require immediate attention. High severity detections often indicate active threats. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Identify the malware name/signature from log.cs1, log.cs2, or log.cs4 fields +3. Check if Kaspersky successfully quarantined or removed the threat +4. Scan other systems in the same network segment for similar infections +5. Review recent user activity and email attachments that could be the infection vector +6. Collect and preserve forensic artifacts if needed for incident response +7. Update antivirus signatures and run a full system scan +8. Consider reimaging the system if the infection is severe or persistent +', '["https://support.kaspersky.com/ScanEngine/1.0/en-US/186767.htm","https://attack.mitre.org/techniques/T1204/"]', 'exists("log.signatureID") && +equals("log.cefDeviceSeverity", "High") && +(contains("log.cs1", ["INFECTED", "MALWARE", "TROJAN"]) || + contains("log.cs2", "Trojan") || + contains("log.cs4", "Trojan") || + contains("log.message", ["infected", "malicious"])) +', '2026-02-09 16:29:46.871602', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (168, 'GCP probable Government-backed attack', 3, 3, 2, 'Collection', 'T1560 - Archive Collected Data', 'A user''s account might have been targeted by government-backed attack. Government-backed attackers are trying to access the account of one of your users. An attack happens to less than 0.1% of all Google Account users. There''s a chance the alert is a false alarm. However, we believe we detected activities that government-backed attackers use to try to steal a password or other personal information. Such activity includes the user receiving an email containing a harmful attachment, links to malicious software downloads, or links to fake websites that are designed to access passwords.', '["https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1560"]', 'contains("log.protoPayload.methodName", "google.login.LoginService.govAttackWarning") +', '2026-02-09 16:31:52.331138', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (53, 'Kaspersky Data Exfiltration Attempts Detection', 3, 2, 1, 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects potential data exfiltration attempts identified by Kaspersky through suspicious network traffic patterns, large data transfers, or connections to suspicious external destinations. This rule monitors for network threats, trojan/backdoor detections, and suspicious data transfer patterns that may indicate data exfiltration. + +Next Steps: +1. Immediately identify the source host (origin.ip) and any associated user accounts on the affected system +2. Check if the destination IP (target.ip) is known malicious using threat intelligence sources +3. Review the volume and frequency of data transfers to this destination in the last 24-48 hours +4. Search for any other malware detections (especially Trojans/Backdoors) on the same host +5. Analyze network traffic logs for unusual patterns or protocols from the source IP +6. Check if other hosts in your network have connected to the same destination +7. If confirmed malicious: + - Block the destination IP at firewall/proxy level + - Isolate the affected system from network + - Initiate full incident response procedures + - Preserve evidence for forensic analysis +8. Document all findings and actions taken for compliance and future reference +', '["https://attack.mitre.org/techniques/T1048/","https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm"]', '(equals("log.cat", "NetworkThreat") || + regexMatch("log.cs2", "(?i).*(trojan|backdoor).*") || + regexMatch("log.cefMsg", "(?i).*(data.*transfer|exfiltrat|upload.*suspicious|unauthorized.*transfer).*") || + regexMatch("log.cefMsgAll", "(?i).*(data.*exfiltration|suspicious.*upload|unauthorized.*transfer).*")) && +exists("target.ip") && +greaterOrEqual("log.cefDeviceSeverity", 3) +', '2026-02-09 16:29:47.051234', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.cat","operator":"filter_term","value":"NetworkThreat"}],"or":null,"within":"now-30m","count":5}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (54, 'Kaspersky Agent Disabled or Tampered', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when the Kaspersky security agent is disabled, stopped, or tampered with. This is a critical indicator of defense evasion as attackers disable endpoint protection to execute malware undetected. + +Next Steps: +1. Immediately investigate the affected endpoint +2. Identify the user or process that disabled the agent +3. Check for concurrent malicious activity +4. Re-enable the Kaspersky agent +5. Perform a full system scan +6. Check for similar events on other endpoints +', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1562/001/"]', 'exists("log.signatureID") && +(regexMatch("log.message", "(?i)(kaspersky|klnagent|kavfs|kesl).*( disabled| stopped| removed| tampered| uninstalled)") || + regexMatch("log.message", "(?i)(protection|self-defense).*(disabled|off|stopped)") || + (contains("log.cs1", "PROTECTION") && contains("log.message", "disabled")) || + (contains("log.message", "agent") && contains("log.message", "not running"))) +', '2026-02-09 16:29:47.205678', true, false, 'origin', null, '[]', '["lastEvent.log.dvchost","lastEvent.log.src"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (55, 'Kaspersky Ransomware Behavior Detection', 3, 3, 3, 'Impact', 'T1486 - Data Encrypted for Impact', 'Detects ransomware behavior patterns identified by Kaspersky including mass file encryption, ransom note creation, and ransomware-specific malware classifications. + +Next Steps: +1. Immediately isolate the affected system from the network +2. Identify the ransomware variant from Kaspersky''s classification +3. Check backup availability and integrity +4. Do not pay the ransom +5. Engage incident response team +6. Scan other systems for the same indicators +7. Determine the initial infection vector +', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1486/"]', 'exists("log.signatureID") && +(regexMatch("log.message", "(?i)(ransomware|ransom|trojan-ransom|cryptolocker|locky|cerber|wannacry|ryuk|conti|lockbit|blackcat)") || + contains("log.cs2", "Trojan-Ransom") || contains("log.cs4", "Trojan-Ransom") || + (contains("log.message", "encrypt") && contains("log.message", "mass")) || + (contains("log.message", "System Watcher") && contains("log.message", "rollback"))) +', '2026-02-09 16:29:47.406636', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"}],"or":null,"within":"now-10m","count":3}]', '["lastEvent.log.dvchost","lastEvent.log.src"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (56, 'Kaspersky Rootkit Detection', 3, 3, 3, 'Defense Evasion', 'T1014 - Rootkit', 'Detects rootkit activity identified by Kaspersky security, including hidden processes, kernel-level modifications, and rootkit-specific malware classifications that indicate a deeply compromised system. + +Next Steps: +1. Immediately isolate the affected system +2. Do not trust any output from the compromised system +3. Perform offline forensic analysis +4. Plan for full system reimaging +5. Check for lateral movement from the compromised host +6. Determine the initial infection vector +', '["https://support.kaspersky.com/","https://attack.mitre.org/techniques/T1014/"]', 'exists("log.signatureID") && +(regexMatch("log.message", "(?i)(rootkit|bootkit|Rootkit|hidden.*process|hidden.*module)") || + contains("log.cs2", "Rootkit") || contains("log.cs4", "Rootkit") || + contains("log.cs2", "Bootkit") || contains("log.cs4", "Bootkit") || + (contains("log.message", "System Analysis") && contains("log.message", "hidden"))) +', '2026-02-09 16:29:47.566348', true, false, 'origin', null, '[]', '["lastEvent.log.dvchost","lastEvent.log.src"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (57, 'Lateral Movement Indicators Detection', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects indicators of lateral movement attempts within the network through Kaspersky antivirus logs. +Attackers use various techniques including PSExec, WMI, RDP, SMB shares, and exploitation tools to move +from one compromised system to others, expanding their access and control across the network. This rule +identifies blocked or detected activities that may indicate lateral movement attempts. + +Next Steps: +1. Investigate the source IP and hostname for signs of compromise +2. Review authentication logs for the same time period to identify potential credential theft +3. Check if the detected tools (PSExec, WMI, RDP) are authorized for use in your environment +4. Examine network traffic between the source and destination systems +5. Look for other suspicious activities from the same source host +6. Consider isolating affected systems if lateral movement is confirmed +7. Review similar patterns from the same source within the detection window +', '["https://attack.mitre.org/tactics/TA0008/","https://support.kaspersky.com/KESWin/11/en-us/151065.htm"]', '(equals("log.cn1", "3") || equals("log.cs1", "DETECT") || equals("log.act", "blocked")) && +(contains("log.cefMsg", ["psexec", "wmi", "rdp", "smb", "admin$", "ipc$", "c$", + "remote", "lateral", "pivot"]) || + contains("log.cs4", ["exploit", "mimikatz", "bloodhound", "sharphound", "propagat"])) && +exists("log.dst") && +exists("log.src") && +safe(log.src, "") != safe(log.dst, "") +', '2026-02-09 16:29:47.711856', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"}],"or":null,"within":"now-2h","count":3}]', '["lastEvent.log.dhost","lastEvent.log.dst","lastEvent.log.src"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (188, 'AWS CloudTrail Log Deleted', 2, 3, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") && +equals("log.eventName", "DeleteTrail") +', '2026-02-09 16:32:22.485394', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (58, 'Living Off the Land Binaries (LOLBins) Abuse Detection', 3, 3, 2, 'Defense Evasion', 'T1218 - System Binary Proxy Execution', 'Detects the malicious use of legitimate Windows system binaries (LOLBins) to execute malicious code. Attackers abuse these trusted tools to bypass security controls and maintain persistence. LOLBins are particularly dangerous because they are signed Microsoft binaries that are trusted by most security products. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Review the full context of the detection including command line parameters and parent processes +3. Check for any network connections or file downloads initiated by the LOLBin process +4. Look for persistence mechanisms (scheduled tasks, registry keys, services) created around the same time +5. Scan for additional indicators of compromise on the affected system +6. Review user account activity for signs of compromise or privilege escalation +7. Consider reimaging the system if fileless malware is confirmed +', '["https://attack.mitre.org/techniques/T1218/","https://lolbas-project.github.io/","https://www.kaspersky.com/enterprise-security/wiki-section/products/fileless-threats-protection"]', '(equals("log.signatureID", "3") || equals("log.cs1", "DETECT")) && +(regexMatch("log.cefMsg", "(?i).*(rundll32|regsvr32|mshta|certutil|bitsadmin|powershell|wmic|cscript|wscript|msiexec|installutil|regasm|regsvcs).*") || + contains("log.cs4", ["fileless", "LOLBin", "LOLBas"])) && +(contains("log.cefMsg", ["download", "execute", "bypass", "encoded", "obfuscat", "hidden", "malicious"]) || + exists("log.actionResult")) +', '2026-02-09 16:29:47.867270', true, false, 'origin', null, '[]', '["lastEvent.log.cs4","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (59, 'Kaspersky Application Privilege Escalation Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055/T1134 - Process Injection and Access Token Manipulation', 'Detects attempts to escalate privileges through application manipulation, process injection, or unauthorized elevation of permissions monitored by Kaspersky endpoint protection. These techniques are commonly used by attackers to gain higher-level permissions on compromised systems. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Review the process that triggered the alert and its parent process chain +3. Check if the source process is legitimate or potentially malicious +4. Look for other suspicious activities on the same host in the last hour +5. Collect memory dumps if possible for forensic analysis +6. Review user account permissions and recent changes +7. Check for any unauthorized scheduled tasks or services +8. Update Kaspersky signatures and run a full system scan +', '["https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm","https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1134/"]', 'exists("log.signatureID") && +!equals("log.action", "Allowed") && +(contains("log.message", ["privilege", "elevation", "EXPLOIT", "Exploit", + "process injection", "token manipulation"]) || + contains("log.cs1", "EXPLOIT") || + contains("log.cs2", "Exploit") || + contains("log.cs4", "Exploit") || + contains("log.cefMsg", ["privilege", "elevation"])) +', '2026-02-09 16:29:48.010688', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (60, 'Kaspersky Sandbox Evasion Attempts Detection', 3, 3, 2, 'Defense Evasion, Discovery', 'T1497 - Virtualization/Sandbox Evasion', 'Identifies malware attempting to detect and evade sandbox environments. This includes time-based evasion, environment checks, anti-VM techniques, and other behaviors designed to avoid analysis in controlled environments. + +Next Steps: +1. Immediately isolate the affected system to prevent potential malware spread +2. Review the process that triggered the sandbox evasion detection +3. Check for any suspicious parent processes or child processes +4. Collect memory dumps and samples for deeper analysis +5. Review recent file downloads and email attachments on the affected system +6. Check if similar detection occurred on other systems in the network +7. Consider submitting the sample to Kaspersky for further analysis +', '["https://www.kaspersky.com/enterprise-security/malware-sandbox","https://attack.mitre.org/techniques/T1497/","https://attack.mitre.org/techniques/T1497/001/"]', 'exists("log.signatureID") && +(contains("log.cefMsg", ["sandbox", "evasion", "anti-VM", "virtualization"]) || + contains("log.cefMsgAll", ["sandbox", "evasion"]) || + contains("log.cs1", "SANDBOX_") || + contains("log.cs4", ["Evasion", "AntiVM", "environment check", "time delay", "VM detection"]) || + (equals("log.cat", "Behavior Detection") && + contains("log.cefMsg", ["delay", "sleep"]))) +', '2026-02-09 16:29:48.151518', true, false, 'origin', '["adversary.host","lastEvent.log.cs4"]', '[]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (61, 'Kaspersky Suspicious Network Activity Detection', 3, 2, 2, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects suspicious network activities including unusual connections, potential C2 communications, or network-based attacks identified by Kaspersky security monitoring. This rule triggers when Kaspersky blocks network connections that match suspicious patterns and multiple similar events occur from the same host. + +Next Steps: +1. Review the source and destination IP addresses for known malicious indicators using threat intelligence feeds +2. Check if the blocked connection was attempting to reach known C2 servers or suspicious domains +3. Examine the process that initiated the network connection (check log.processName or log.filePath if available) +4. Review other security events from the same host within the last hour for additional IOCs +5. Verify if multiple hosts are exhibiting similar network behavior (potential lateral movement or outbreak) +6. Check firewall logs for any successful connections to the same destination that may have bypassed Kaspersky +7. Consider isolating the affected system if C2 communication is confirmed +8. Run a full system scan on the affected host and check for persistence mechanisms +9. Review network traffic logs for data exfiltration attempts to the same destination +10. Document the incident and update block lists with confirmed malicious IPs/domains +', '["https://support.kaspersky.com/kwts/6.1/267200","https://attack.mitre.org/techniques/T1071/","https://attack.mitre.org/techniques/T1043/"]', 'exists("log.signatureID") && +(contains("log.message", ["suspicious connection", "network attack", "port scan", "unusual traffic"]) || + contains("log.descMsg", "network") || + contains("log.cs1", "NETWORK") || + contains("log.cs2", "Net-Worm") || + contains("log.cs4", "Net-Worm") || + (exists("log.dstIP") && exists("log.dpt"))) && +equals("log.act", "Blocked") +', '2026-02-09 16:29:48.296465', true, false, 'origin', null, '[{"indexPattern":"v11-log-antivirus-kaspersky-*","with":[{"field":"log.src","operator":"filter_term","value":"{{log.src}}"},{"field":"log.dstIP","operator":"filter_term","value":"{{log.dstIP}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.dstIP","lastEvent.log.dvchost","lastEvent.log.src"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (82, 'Storyline Correlation Event', 3, 3, 2, 'Attack Chain Detection', 'Attack Chain Analysis', 'Detects correlated attack patterns identified by SentinelOne''s Storyline feature, which connects related events to reveal complete attack chains and multi-stage threats. + +Next Steps: +1. Review the complete attack chain in the SentinelOne console''s Storyline view +2. Identify all affected endpoints and users involved in the attack chain +3. Check for lateral movement or persistence mechanisms across the related events +4. Isolate affected endpoints if active threats are detected +5. Collect forensic data from all systems identified in the storyline +6. Review and update security policies based on the attack patterns observed +7. Analyze the attack timeline and identify any gaps in detection +8. Coordinate with incident response team for threat hunting activities +', '["https://www.sentinelone.com/platform/storyline-active-response/","https://attack.mitre.org/tactics/enterprise/"]', 'regexMatch("log.eventDescription", "(?i)(storyline|attack chain|correlated|multi.?stage|campaign)") && regexMatch("log.message", "(?i)(threat|attack|compromise|breach)")', '2026-02-09 16:29:51.525591', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (62, 'Suspicious Packed Executable Detection', 3, 3, 2, 'Defense Evasion', 'T1027.002 - Obfuscated Files or Information: Software Packing', 'Detects when Kaspersky identifies suspicious packed executables, which are often used by malware to evade detection and analysis. Packed executables use compression or encryption to hide their true content and make reverse engineering more difficult. + +Next Steps: +1. Identify the affected system from origin.hostname and origin.ip fields +2. Review the detected threat details from log.descMsg and log.msg fields +3. Check the action taken by the antivirus (blocked/detected) in the action field +4. Verify if the file is legitimate software that uses packing for protection +5. If malicious, isolate the affected system immediately +6. Perform a full system scan to identify additional threats +7. Review process execution logs for suspicious child processes spawned by packed executables +8. Check network connections initiated by the suspicious executable +9. Submit the sample to Kaspersky or third-party sandbox for detailed analysis +10. Update antivirus signatures and ensure real-time protection is enabled +', '["https://www.kaspersky.com/resource-center/threats/suspicious-packers","https://attack.mitre.org/techniques/T1027/002/"]', 'oneOf("action", ["blocked", "detected"]) && +(contains("log.descMsg", ["Packed", "packer"]) || + contains("log.msg", ["packed", "Packed"]) || + contains("log.descMsg", ["NSAnti", "Themida", "VMProtect", "ASPack", "UPX", + "PECompact", "Enigma", "Armadillo"]) || + contains("log.msg", ["NSAnti", "Themida", "VMProtect", "ASPack", "UPX", + "PECompact", "Enigma", "Armadillo"]) || + contains("log.cat", ["Trojan.Packed", "Packed"])) +', '2026-02-09 16:29:48.426196', true, false, 'origin', null, '[]', '["adversary.hostname","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (63, 'Kaspersky Suspicious Scheduled Tasks Detection', 3, 3, 2, 'Execution, Persistence, Privilege Escalation', 'T1053 - Scheduled Task/Job', 'Detects suspicious scheduled task creation or modification identified by Kaspersky, which could indicate persistence mechanisms used by malware or attackers. Scheduled tasks are commonly abused by attackers to maintain persistence, execute malicious code at specific times, or escalate privileges. + +Next Steps: +1. Review the scheduled task details in log.msg, log.fname, and log.descMsg fields +2. Check the specific threat signature in log.signatureID to understand the detection +3. Examine log.cs1 and log.cs2 fields for additional threat context and classification +4. Verify if the task creation was part of legitimate administrative activity +5. Check the affected host (origin.host) for other persistence mechanisms: + - Registry run keys + - Startup folder items + - Services + - WMI event subscriptions +6. Review log.deviceTime for timeline analysis and correlate with other security events +7. If confirmed malicious: + - Disable or remove the scheduled task immediately + - Scan the system for additional malware components + - Check if the malware has spread to other systems + - Preserve evidence and initiate incident response procedures +', '["https://attack.mitre.org/techniques/T1053/","https://support.kaspersky.com/ScanEngine/1.0/en-US/186767.htm"]', '(containsAll("log.msg", ["scheduled", "task"]) || + contains("log.msg", ["schtasks", "schedule"]) || + contains("log.descMsg", ["scheduled", "task"]) || + contains("log.cs2", "persist") || + contains("log.fname", "\\Tasks\\") || + contains("log.cat", "persistence")) && +(exists("log.signatureID") || + oneOf("log.cs1", ["infected", "suspicious"]) || + exists("log.cefDeviceSeverity")) +', '2026-02-09 16:29:48.581531', true, false, 'origin', null, '[]', '["lastEvent.log.signatureID","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (64, 'Kaspersky Suspicious Service Installation Detection', 2, 2, 2, 'Persistence, Privilege Escalation', 'T1543.003 - Create or Modify System Process: Windows Service', 'Detects suspicious Windows service installation or modification attempts identified by Kaspersky, which could indicate malware persistence mechanisms or privilege escalation attempts. Service manipulation is a common technique used by malware to maintain persistence on compromised systems. + +Next Steps: +1. Identify the service name and executable path from the alert details +2. Verify if the service installation was authorized and legitimate +3. Check the digital signature and reputation of the service executable +4. Review parent process that initiated the service installation +5. Look for other suspicious activities on the affected host around the same time +6. If confirmed malicious, stop and remove the service, quarantine associated files +7. Perform full system scan and check for additional compromise indicators +', '["https://attack.mitre.org/techniques/T1543/003/","https://support.kaspersky.com/ScanEngine/2.1/en-US/186767.htm"]', '(containsAll("log.message", ["Service", "install"]) || + containsAll("log.message", ["sc.exe", "create"]) || + containsAll("log.message", ["New", "Service"]) || + contains("log.fname", "\\services.exe") || + contains("log.cs2", "Service")) && +(oneOf("log.cs1", ["infected", "suspicious"]) || + greaterOrEqual("log.cefDeviceSeverity", 3)) +', '2026-02-09 16:29:48.715709', true, false, 'origin', null, '[]', '["lastEvent.log.fname","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (65, 'Kaspersky System File Tampering Detection', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects attempts to tamper with critical system files, Windows services, or protected system components. This includes unauthorized modifications to system binaries, service configurations, or attempts to manipulate security-critical files. + +Next Steps: +1. Identify the affected system file or component from the log details +2. Check if the modification was authorized (planned maintenance, legitimate software update) +3. Review process information to identify the source of the tampering attempt +4. Look for additional indicators of compromise on the affected system +5. Investigate any parent processes or scripts that initiated the modification +6. Check for persistence mechanisms that may have been established +7. Consider isolating the system if unauthorized tampering is confirmed +', '["https://support.kaspersky.com/kwts/6.1/267200","https://attack.mitre.org/techniques/T1562/001/","https://attack.mitre.org/techniques/T1036/"]', 'exists("log.signatureID") && +(contains("log.message", ["system file", "critical file", "protected file", "service tamper"]) || + contains("log.cs1", "SYSTEM_MOD") || + contains("log.cs4", "SystemFile") || + contains("log.cefMsg", ["system modification", "unauthorized change"]) || + (equals("log.cat", "Behavior Detection") && contains("log.message", "modify"))) +', '2026-02-09 16:29:48.851403', true, false, 'origin', null, '[]', '["lastEvent.log.cs4","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (66, 'Kaspersky WMI Abuse Detection', 3, 3, 2, 'Execution', 'T1047 - Windows Management Instrumentation', 'Detects potential Windows Management Instrumentation (WMI) abuse identified by Kaspersky, including suspicious WMI queries, event subscriptions, or process creation via WMI. WMI is a legitimate Windows component often abused by attackers for lateral movement, persistence, and code execution. + +Next Steps: +1. Identify the affected host and user account involved in the WMI activity +2. Review the specific WMI commands or queries that triggered the alert +3. Check for any unauthorized scheduled tasks or startup items created via WMI +4. Look for other indicators of compromise on the affected system +5. Verify if this is legitimate administrative activity or potential malicious behavior +6. If confirmed malicious, isolate the system and perform incident response procedures +', '["https://attack.mitre.org/techniques/T1047/","https://support.kaspersky.com/KLMS/8.2/en-US/151684.htm"]', '(contains("log.cefMsg", ["WMI", "wmi", "wmic", "winmgmt", "scrcons.exe"]) || + contains("log.cefMsgAll", "WMI")) && +(greaterOrEqual("log.cefDeviceSeverity", 3) || equals("log.cat", "blocked")) +', '2026-02-09 16:29:49.335545', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (67, 'SentinelOne Agent Tampering Attempts', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects attempts to tamper with, disable, or modify the SentinelOne agent. This is a critical security event as attackers often try to disable security tools before launching their main attack. Immediate response required. + +Next Steps: +1. Immediately isolate the affected endpoint to prevent further damage +2. Review the user account associated with the tampering attempt +3. Check system logs for any suspicious activities before and after the tampering attempt +4. Verify if the SentinelOne agent is still functioning properly +5. Look for any malware or unauthorized software that may have been installed +6. Review network connections from the affected host for command and control activity +7. If tampering was successful, consider reimaging the system after forensic analysis +', '["https://support.sentinelone.com/hc/en-us/articles/360001089343-Protecting-the-SentinelOne-Agent","https://attack.mitre.org/techniques/T1562/001/"]', 'regexMatch("log.eventDescription", ".*(tamper|disable|stop|uninstall|modify).*agent.*") || +regexMatch("log.eventDescription", ".*agent.*(tamper|disable|stop|uninstall|modify).*") || +oneOf("log.activityType", ["agent_uninstall", "agent_disable", "agent_tamper"]) || +equals("log.eventType", "AgentTamperingAttempt") || +(regexMatch("log.processName", ".*(sentinelone|sentinel).*") && + oneOf("log.action", ["kill", "terminate", "stop", "disable"])) +', '2026-02-09 16:29:49.440788', true, false, 'origin', null, '[]', '["lastEvent.log.agentId","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (68, 'Kaspersky Trusted Application Compromise Detection', 3, 3, 2, 'Defense Evasion', 'T1218 - Signed Binary Proxy Execution', 'Identifies when legitimate or trusted applications exhibit malicious behavior, potentially indicating compromise or exploitation. This includes detecting when signed binaries are used for malicious purposes or when trusted processes perform suspicious activities. This is a critical security event that indicates an attacker may be using living-off-the-land techniques to evade detection. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Identify the compromised trusted application and its process chain +3. Review recent system changes and user activities on the affected host +4. Check for persistence mechanisms (scheduled tasks, services, registry keys) +5. Analyze network connections from the compromised application +6. Look for data exfiltration indicators from the affected system +7. Consider reimaging the system if compromise is confirmed +8. Update security policies to monitor the exploited application more closely +', '["https://www.kaspersky.com/enterprise-security/wiki-section/products/kaspersky-anti-targeted-attack-platform","https://attack.mitre.org/techniques/T1218/","https://attack.mitre.org/techniques/T1574/"]', 'exists("log.signatureID") && +(contains("log.msg", ["trusted application", "signed binary", "legitimate program"]) || + contains("log.cs1", "TRUSTED_COMP") || + contains("log.cs4", "TrustedApp") || + contains("log.descMsg", "whitelisted") || + (equals("log.cat", "Exploit Prevention") && contains("log.msg", "exploit")) || + containsAll("log.msg", ["behavior", "trusted"])) && +oneOf("log.cefDeviceSeverity", ["High", "Medium"]) +', '2026-02-09 16:29:49.531168', true, false, 'origin', null, '[]', '["lastEvent.log.cs1","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (69, 'SentinelOne AI-Based Threat Hunting Alerts', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects threats identified by SentinelOne''s AI and machine learning threat hunting capabilities, including zero-day exploits, fileless attacks, and previously unknown malware variants. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Review the threat details in SentinelOne console for threat classification and confidence score +3. Check if the AI detection correlates with any unusual process behavior or network activity +4. Examine memory dumps if available for fileless attack indicators +5. Search for similar AI detections across other endpoints in the environment +6. If confirmed as a zero-day or new variant, submit samples to threat intelligence teams +7. Update security policies based on the AI detection patterns observed +', '["https://www.sentinelone.com/platform/ai-powered-prevention/","https://attack.mitre.org/tactics/TA0043/","https://attack.mitre.org/techniques/T1055/"]', '( + regexMatch("log.eventDescription", "(?i)(ai detected|machine learning|threat hunt|hunting alert|ai threat|automated detection)") || + oneOf("log.engines", ["AI", "MachineLearning", "Static AI", "Behavioral AI"]) || + contains("log.threatClassificationSource", "AI") +) && +exists("log.endpointDeviceName") && +(exists("log.threatId") || exists("log.threatName") || exists("log.threatClassification")) +', '2026-02-09 16:29:49.676366', true, false, 'origin', null, '[]', '["lastEvent.log.accName","lastEvent.log.endpointDeviceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (70, 'SentinelOne Behavioral Threat Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects behavioral threat patterns identified by SentinelOne''s AI engine, including suspicious process behaviors, anomalous system calls, and deviations from normal endpoint activity patterns. + +Next Steps: +1. Review the specific behavioral indicator that triggered the alert in log.eventDescription +2. Identify the affected host and user account from log.syslogHost and log.destinationUser +3. Check if the behavior is associated with legitimate software or administrative activity +4. Investigate other recent activities from the same host for signs of compromise +5. If confirmed malicious, isolate the endpoint and initiate incident response procedures +6. Review SentinelOne console for additional threat details and recommended remediation actions +7. Collect memory dumps if process injection or in-memory threats are suspected +8. Check for persistence mechanisms that may have been established +', '["https://www.sentinelone.com/platform/behavioral-ai/","https://attack.mitre.org/techniques/T1055/"]', '(regexMatch("log.eventDescription", "(?i)(behavioral|anomaly|suspicious behavior|abnormal|pattern detected|threat behavior|malicious activity)") || regexMatch("log.eventDescription", "(?i)(process injection|code injection|memory manipulation|hollowing)")) && exists("log.syslogHost") && exists("log.eventDescription")', '2026-02-09 16:29:49.810812', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (81, 'SentinelOne Policy Downgraded from Protect to Detect', 3, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects when a SentinelOne policy is downgraded from Protect mode to Detect-only mode, which stops automatic threat remediation. This is a critical defense evasion indicator as attackers with console access weaken protection before deploying malware. + +Next Steps: +1. Identify the administrator who changed the policy +2. Verify through change management if this was authorized +3. Check for concurrent threat detections on affected endpoints +4. Restore the Protect policy immediately if unauthorized +5. Review admin account access for compromise +6. Scan all affected endpoints for unmitigated threats +', '["https://support.sentinelone.com/","https://attack.mitre.org/techniques/T1562/001/"]', '(contains("log.eventDescription", "policy") && + ((contains("log.eventDescription", "Detect") && contains("log.eventDescription", "changed")) || + contains("log.eventDescription", "downgrade") || + (contains("log.eventDescription", "Protect") && contains("log.eventDescription", "Detect")))) || +(oneOf("log.activityType", ["policy_updated", "policy_changed"]) && + contains("log.eventDescription", "Detect")) +', '2026-02-09 16:29:51.340676', true, false, 'origin', null, '[]', '["lastEvent.log.activityType","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (71, 'SentinelOne Cloud Workload Protection Alert', 3, 3, 2, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects cloud workload protection alerts including suspicious cloud API calls, unauthorized cloud resource access, cloud account compromise, or cloud-native threat detection. + +Next Steps: +1. Review the specific cloud workload alert details in the SentinelOne console +2. Identify the affected cloud resources (AWS, Azure, GCP) and account involved +3. Check for any unauthorized changes to cloud configurations or resources +4. Review cloud provider logs for the time period around the alert +5. Verify if the activity was authorized or part of legitimate operations +6. If suspicious, immediately revoke any compromised credentials or access keys +7. Enable additional cloud security monitoring and alerts if not already configured +8. Document findings and update incident response procedures as needed +', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://attack.mitre.org/techniques/T1078/004/"]', 'exists("log.eventDescription") && +contains("log.eventDescription", ["cloud", "aws", "azure", "gcp", + "lambda", "s3", "ec2", "workload"]) && +contains("log.eventDescription", ["threat detected", "malicious", "compromise", + "breach", "attack detected", "unauthorized access"]) && +(exists("log.threatId") || exists("log.endpointDeviceName")) +', '2026-02-09 16:29:49.951108', true, false, 'origin', null, '[]', '["lastEvent.log.accName","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (72, 'SentinelOne Container Security Alert', 3, 3, 2, 'Defense Evasion, Execution', 'T1610 - Deploy Container', 'Detects container-related security events including container drift, unauthorized container deployment, cryptominers in containers, or suspicious container behavior. + +Next Steps: +1. Identify the affected container and host system from the alert details +2. Review the container runtime logs for additional context +3. Check if the container is running authorized images from trusted registries +4. Investigate any network connections or processes spawned by the container +5. If unauthorized activity is confirmed, isolate the container and host +6. Review container deployment policies and runtime security configurations +7. Check for similar alerts across other container environments +', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://www.sentinelone.com/resources/cloud-workload-security-for-containers/","https://attack.mitre.org/techniques/T1610/"]', 'exists("log.eventDescription") && +contains("log.eventDescription", ["container", "kubernetes", "k8s", + "docker", "pod"]) && +contains("log.eventDescription", ["drift detected", "cryptominer", "malicious", + "breach", "unauthorized container", "container escape"]) && +(exists("log.threatId") || exists("log.endpointDeviceName")) +', '2026-02-09 16:29:50.096116', true, false, 'origin', null, '[]', '["adversary.host","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (73, 'Custom Detection Rule Triggers', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects when custom detection rules configured in SentinelOne trigger, indicating organization-specific threat patterns or policy violations have been identified. Custom rules are tailored to detect specific behaviors or patterns unique to the organization''s security requirements. + +Next Steps: +1. Review the specific custom rule that triggered and understand its purpose +2. Investigate the affected endpoint (log.syslogHost) for additional suspicious activity +3. Check if the same custom rule has triggered on other endpoints +4. Verify if the detection is a false positive based on the custom rule''s logic +5. If legitimate threat activity, initiate incident response procedures +6. Consider updating the custom rule if false positives are frequent +', '["https://docs.sentinelone.com/","https://attack.mitre.org/techniques/T1059/"]', '(contains("log.eventDescription", ["custom rule", "custom detection", "Custom Rules"]) || + equals("log.detectionSource", "CustomRule") || + equals("log.ruleType", "Custom")) && +exists("log.syslogHost") +', '2026-02-09 16:29:50.250725', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (74, 'Deep Visibility Threat Indicators', 3, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal on Host', 'Detects advanced threat indicators through SentinelOne''s deep visibility monitoring. This rule triggers when specific threat-related events are detected in the SentinelOne logs. + +Next Steps: +1. Review the event description to understand the specific threat indicator +2. Check the affected host (syslogHost) for signs of compromise +3. Investigate any associated user accounts (sourceUser, destinationUser) +4. Review source IP addresses for suspicious origins +5. Check if this is part of a larger attack campaign +6. Consider isolating the affected endpoint if threat is confirmed +', '["https://www.sentinelone.com/blog/rapid-threat-hunting-with-deep-visibility-feature-spotlight/","https://attack.mitre.org/techniques/T1070/"]', 'exists("log.eventDescription") && +( + contains("log.eventDescription", ["malware detected", "threat detected", "malicious file", "malicious process", + "exploit detected", "ransomware detected", "trojan detected", "backdoor detected", "rootkit detected", + "cryptominer detected", "worm detected", "spyware detected"]) || + (contains("log.eventDescription", "threat") && oneOf("log.threatClassification", ["Malware", "Exploit", "Ransomware", "Trojan", "PUP"])) || + (contains("log.eventDescription", "malicious") && exists("log.threatId")) +) && +exists("log.syslogHost") +', '2026-02-09 16:29:50.391111', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (75, 'SentinelOne Endpoint Detection and Response (EDR) Alerts', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Critical EDR alerts from SentinelOne including suspicious endpoint activities, unauthorized system changes, malicious command execution, and advanced persistent threat (APT) indicators. These alerts indicate potential security incidents that require immediate investigation. + +Next Steps: +1. Identify the affected endpoint(s) and user accounts involved +2. Review the specific threat details and indicators of compromise (IoCs) +3. Check for any lateral movement or persistence mechanisms +4. Isolate the affected endpoint(s) if necessary +5. Collect forensic data and memory dumps if required +6. Review related security events from the same host in the last 24-48 hours +7. Verify if the detected activity is legitimate or false positive +8. If confirmed malicious, initiate incident response procedures +9. Update security controls and detection rules based on findings +10. Document the incident and lessons learned +', '["https://www.sentinelone.com/platform/edr/","https://attack.mitre.org/techniques/T1059/","https://attack.mitre.org/techniques/T1547/"]', '( + regexMatch("log.eventDescription", "(?i)(edr|endpoint detection|endpoint alert|endpoint threat|endpoint incident|suspicious endpoint|compromised endpoint|endpoint breach|endpoint attack)") || + regexMatch("log.message", "(?i)(edr alert|endpoint response|incident response|threat response)") +) && +( + regexMatch("log.eventDescription", "(?i)(critical|high|severe|malicious|unauthorized|breach)") || + exists("log.destinationUser") || + exists("log.endpointDeviceName") +) && +exists("log.syslogHost") +', '2026-02-09 16:29:50.520978', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (76, 'SentinelOne IoT Device Compromise Indicator', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects indicators of IoT device compromise including unauthorized firmware modifications, suspicious network behavior from IoT devices, or anomalous IoT device activity patterns detected by SentinelOne''s Singularity Ranger. This rule triggers when IoT-related threats are identified including compromised embedded systems, firmware backdoors, industrial control system attacks, or SCADA system compromises. + +Next Steps: +1. Isolate the affected IoT device immediately to prevent lateral movement +2. Review device logs and network traffic to identify the initial compromise vector +3. Check for firmware modifications or unauthorized configuration changes +4. Verify if other IoT devices on the same network segment show similar indicators +5. Update device firmware to latest secure version if available +6. Consider factory reset and reconfiguration if compromise is confirmed +7. Review network segmentation to ensure IoT devices are properly isolated +8. Implement additional monitoring for IoT device communications +', '["https://www.sentinelone.com/platform/singularity-ranger/","https://attack.mitre.org/techniques/T1203/"]', 'exists("log.eventDescription") && +contains("log.eventDescription", ["iot", "embedded", "firmware", + "industrial", "scada", "ics", "plc"]) && +contains("log.eventDescription", ["compromise", "malicious", + "backdoor", "botnet", "exploit", "infection"]) && +exists("log.endpointDeviceName") +', '2026-02-09 16:29:50.665659', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.eventDescription"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (77, 'Kernel-Level Threat Detection', 3, 3, 3, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects kernel-level threats including rootkits, kernel exploits, driver manipulation, and other low-level system attacks that attempt to compromise the operating system kernel. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Verify the threat detection in SentinelOne console and check threat details +3. Run a full system scan on the affected endpoint +4. Check for persistence mechanisms and suspicious kernel modules/drivers +5. Review system logs for any unauthorized kernel-level changes or driver installations +6. If rootkit is confirmed, consider reimaging the system after forensic data collection +7. Update endpoint protection signatures and kernel protection modules +', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1014/"]', 'regexMatch("log.eventDescription", "(?i)(kernel|rootkit|driver|ring.?0|system.?level)") && +contains("log.eventDescription", ["threat", "malicious", "exploit", "compromise", + "detect", "block", "prevent", "isolate"]) +', '2026-02-09 16:29:50.790849', true, false, 'origin', null, '[]', '["lastEvent.log.eventDescription","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (78, 'Memory Injection Detection', 3, 3, 2, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects memory injection attempts including DLL injection, process hollowing, reflective DLL injection, and other in-memory attack techniques detected by SentinelOne. + +Next Steps: +1. Immediately isolate the affected system to prevent lateral movement +2. Identify the injected process and the target process from the alert details +3. Check for persistence mechanisms on the affected system +4. Review SentinelOne console for additional threat indicators and related events +5. Collect memory dump if possible for forensic analysis +6. Check if the injection technique matches known threat actor TTPs +7. Review network connections from the affected system for C2 communication +8. Ensure SentinelOne remediation actions have been applied successfully +', '["https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1055/001/"]', 'regexMatch("log.eventDescription", "(?i)(memory.injection|dll.injection|process.injection|reflective.dll|process.hollow|code.injection|thread.hijack|injection.detected|malicious.injection)") || +regexMatch("log.eventDescToParse", "(?i)(memory.injection|dll.injection|process.injection|reflective.dll|process.hollow|code.injection|thread.hijack|injection.detected|malicious.injection)") +', '2026-02-09 16:29:50.930852', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (79, 'SentinelOne Rollback Operation Patterns Detection', 2, 3, 3, 'Impact', 'T1490 - Inhibit System Recovery', 'Detects rollback operations in SentinelOne that may indicate ransomware recovery attempts or suspicious rollback activity. Rollback operations are critical system recovery events that should be monitored for both legitimate recovery and potential abuse scenarios. + +Next Steps: +1. Verify if the rollback operation was authorized by checking with the system administrator +2. Check if there were any ransomware or malware detections on the affected system prior to the rollback +3. Review the system logs to understand what changes were rolled back +4. Confirm the identity of the user who initiated the rollback operation +5. If unauthorized, investigate potential system compromise and consider isolating the affected endpoint +6. Document the rollback operation and its justification for compliance purposes +', '["https://www.cybervigilance.uk/insights/sentinelone-how-does-rollback-work","https://attack.mitre.org/techniques/T1490/"]', 'regexMatch("log.eventDescription", ".*[Rr]ollback.*") && (equals("log.activityType", "rollback") || exists("log.rollbackStatus") || equals("log.cat", "SystemEvent"))', '2026-02-09 16:29:51.066689', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (80, 'SentinelOne Suspicious Exclusion Addition', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects suspicious additions to SentinelOne exclusion or allowlist entries, which attackers abuse to prevent detection of their malware or tools after gaining console access. + +Next Steps: +1. Review the specific exclusion or allowlist entry that was added +2. Identify the administrator who made the change +3. Check if the excluded path or hash corresponds to known malware +4. Verify the change through change management records +5. Remove unauthorized exclusions immediately +6. Audit the admin account for compromise indicators +7. Scan endpoints for threats in previously excluded locations +', '["https://support.sentinelone.com/","https://attack.mitre.org/techniques/T1562/001/"]', '((contains("log.eventDescription", "exclusion") || contains("log.eventDescription", "allowlist") || + contains("log.eventDescription", "whitelist") || contains("log.eventDescription", "exception")) && + (contains("log.eventDescription", "added") || contains("log.eventDescription", "created") || + contains("log.eventDescription", "modified"))) || +oneOf("log.activityType", ["exclusion_created", "whitelist_created", "exclusion_modified"]) +', '2026-02-09 16:29:51.216052', true, false, 'origin', null, '[]', '["lastEvent.log.activityType","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (189, 'AWS Config Service Tampering', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html","https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"]', 'equals("log.eventSource", "config.amazonaws.com") && +oneOf("log.eventName", ["DeleteConfigRule", "DeleteOrganizationConfigRule", +"DeleteConfigurationAggregator", "DeleteConfigurationRecorder", +"DeleteConformancePack", "DeleteOrganizationConformancePack", +"DeleteDeliveryChannel", "DeleteRemediationConfiguration", +"DeleteRetentionConfiguration"]) +', '2026-02-09 16:32:22.626343', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (83, 'Suspicious Process Tree Analysis', 3, 3, 1, 'Defense Evasion, Privilege Escalation', 'T1055 - Process Injection', 'Detects suspicious process tree patterns identified by SentinelOne, including unusual parent-child relationships, process hollowing, and malicious process chains commonly used in attacks. + +Next Steps: +1. Review the process tree details in the SentinelOne console to understand the parent-child relationships +2. Identify the affected host from log.syslogHost and the user account from log.destinationUser +3. Check if the process chain is associated with legitimate software or administrative activity +4. Look for indicators of process injection, hollowing, or other malicious techniques +5. Investigate other recent process creation events on the same host +6. If confirmed malicious, isolate the endpoint and terminate the suspicious processes +7. Review the threat storyline in SentinelOne for full attack context +8. Collect memory dumps if advanced analysis is required +', '["https://attack.mitre.org/techniques/T1055/","https://attack.mitre.org/techniques/T1057/"]', '(contains("log.eventDescription", ["process tree", "parent", "process chain", + "process spawn", "suspicious process", "abnormal process", "process anomaly"]) || + contains("log.threatName", ["process", "injection", "hollow"]) || + contains("log.mitigationMode", "process")) && +exists("log.syslogHost") +', '2026-02-09 16:29:51.656042', true, false, 'origin', null, '[]', '["lastEvent.log.syslogHost","lastEvent.log.threatId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (84, 'SentinelOne Suspicious Script Execution Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects suspicious script execution activities including PowerShell, Python, Bash, or other scripting interpreters that may indicate malicious activity or fileless attacks. SentinelOne''s behavioral detection engine identifies these patterns as potential threats that could compromise system integrity. + +Next Steps: +1. Review the specific script or command that triggered the alert in the SentinelOne console +2. Check if the script execution is authorized and part of normal operations +3. Investigate the process tree to understand the parent process and execution chain +4. Look for encoded or obfuscated commands within the script content +5. Check for persistence mechanisms or scheduled tasks created by the script +6. Review network connections initiated by the script process +7. If confirmed malicious, isolate the affected endpoint and perform threat hunting across the environment +', '["https://www.sentinelone.com/platform/singularity-cloud-workload-security/","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.eventDescription") && +( + contains("log.eventDescription", ["malicious script", "suspicious script", "fileless attack", "suspicious process"]) || + (contains("log.eventDescription", ["powershell", "cmd.exe", "bash", "python", "wscript", "cscript"]) && + contains("log.eventDescription", ["encoded", "obfuscated", "download", "bypass", "invoke", "hidden", "base64", "exploit"])) +) && +exists("log.endpointDeviceName") +', '2026-02-09 16:29:51.810914', true, false, 'origin', null, '[]', '["lastEvent.log.endpointDeviceName","lastEvent.log.eventDescription"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (85, 'Threat Intelligence Matches', 2, 2, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects matches against threat intelligence feeds including known malicious hashes, IPs, domains, and behavioral patterns associated with APT groups and cybercrime campaigns. This indicates that SentinelOne has identified a file, behavior, or network connection that matches known threat indicators. + +Next Steps: +1. Immediately isolate the affected endpoint to prevent lateral movement +2. Review the threat intelligence match details to understand the specific indicator that was matched +3. Check if the same hash or threat indicator has been seen on other endpoints +4. Investigate the process tree and parent processes that led to this detection +5. Review network connections from the affected host for potential C2 communications +6. If a file hash match, search for the same hash across all endpoints +7. Contact threat intelligence team for additional context on the matched indicator +8. Preserve forensic evidence before remediation +9. Review file reputation scores and threat classification details +10. Analyze the timeline of events leading to the threat intelligence match +11. Check for any related indicators of compromise (IoCs) in the environment +12. Verify if this is a false positive by cross-referencing with other security tools +', '["https://www.sentinelone.com/blog/decrypting-sentinelone-cloud-detection-the-threat-intelligence-engine-in-real-time-cwpp/","https://attack.mitre.org/techniques/T1203/"]', 'exists("log.externalthreatvalue") || (exists("log.filecontenthash") && greaterOrEqual("log.confidencelevel", 90)) || contains("log.dveventtype", "threat_intel") || contains("log.eventDescription", "reputation")', '2026-02-09 16:29:51.946540', true, false, 'origin', null, '[]', '["lastEvent.log.externalthreatvalue","lastEvent.log.filecontenthash","lastEvent.log.syslogHost"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (86, 'SentinelOne Threat Mitigation Failures', 2, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects failed threat mitigation attempts in SentinelOne, which could indicate advanced malware evading remediation, system compromise preventing cleanup, or configuration issues. Failed mitigations require immediate investigation. + +Next Steps: +1. Immediately isolate the affected endpoint to prevent potential spread +2. Review the specific threat details and mitigation failure reason in SentinelOne console +3. Check if the agent has the latest version and policies are up to date +4. Verify system integrity - check for rootkits or system-level compromise +5. Consider manual remediation using SentinelOne''s threat hunting capabilities +6. If persistent failures occur, engage incident response team for deep forensic analysis +7. Document the threat indicators for future detection improvements +', '["https://support.sentinelone.com/hc/en-us/articles/360004195934-Threat-Mitigation-Status","https://attack.mitre.org/techniques/T1562/"]', '(contains("log.eventDescription", "mitigation") && contains("log.eventDescription", "fail")) || +(contains("log.eventDescription", "remediation") && contains("log.eventDescription", "fail")) || +contains("log.mitigationStatus", "fail") || +equals("log.threatStatus", "mitigation_failed") || +(equals("log.activityType", "mitigation") && equals("log.status", "failed")) +', '2026-02-09 16:29:52.081163', true, false, 'origin', null, '[]', '["lastEvent.log.agentId","lastEvent.log.threatId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (100, 'Meraki IDS High Priority Intrusion Alert', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects high and medium priority intrusion detection alerts from Meraki IDS/IPS system. These alerts indicate potential exploitation attempts, malicious traffic patterns, or known attack signatures detected by the Snort engine. + +Next Steps: +1. Review the specific signature that triggered the alert and assess its severity +2. Investigate the source IP for additional malicious activity or reputation +3. Check if the destination system shows signs of compromise +4. Verify if this is part of a larger attack campaign by correlating with other security events +5. Consider blocking the source IP if confirmed malicious +6. Review firewall rules and IPS signatures for potential tuning +7. Document the incident and update threat intelligence feeds if applicable +', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.eventType", "security_event") && +equals("log.alertType", "ids_alerted") && +lessOrEqual("log.priority", 2) && +exists("origin.ip") && +exists("target.ip") +', '2026-02-09 16:30:30.231345', true, false, 'origin', null, '[]', '["lastEvent.log.signature","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (87, 'Botnet Command and Control Traffic Detected', 3, 2, 1, 'Command and Control', 'T1071 - Application Layer Protocol', 'Detects botnet command and control traffic identified by Cisco ASA''s dynamic filter/botnet database. Message IDs 338001-338002 indicate blacklisted traffic from/to malicious addresses. This could indicate compromised hosts communicating with known botnet infrastructure. + +Next Steps: +1. Immediately isolate the affected host(s) to prevent further communication with C2 infrastructure +2. Review the source IP address (origin.ip) to identify the compromised internal host +3. Check the destination IP/domain against threat intelligence sources to confirm malicious nature +4. Examine other logs from the affected host for signs of initial compromise or lateral movement +5. Run full antivirus/anti-malware scans on the affected system +6. Review DNS logs for additional suspicious queries from the same host +7. Check for any data exfiltration attempts or unusual outbound traffic patterns +8. Consider reimaging the affected system if compromise is confirmed +', '["https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/asa-botnet.pdf","https://attack.mitre.org/techniques/T1071/"]', 'oneOf("log.messageId", ["338001", "338002"]) +|| regexMatch("log.message", "botnet.*(detected|blocked|dropped)") +|| contains("log.message", "dynamic filter blacklisted") +|| contains("log.message", "malicious address") +', '2026-02-09 16:30:28.066072', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (88, 'IPS Signature Match - Malicious Pattern Detected', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects when ASA IPS features identify malicious patterns in network traffic. Message ID 108003 indicates ESMTP/SMTP connections terminated due to malicious patterns. Also monitors for general IPS/IDS signature matches and threat intelligence hits. + +Next Steps: +1. Review the specific IPS signature that was triggered and understand its severity +2. Investigate the source IP address for reputation and previous malicious activity +3. Check if the target system shows any signs of compromise +4. Review firewall logs for any successful connections from the same source +5. Consider blocking the source IP if multiple signatures are triggered +6. Verify that IPS signatures are up-to-date +7. Document the incident and any actions taken +', '["https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html","https://attack.mitre.org/techniques/T1190/"]', 'equals("log.messageId", "108003") +|| (contains("log.message", "malicious pattern") && contains("log.message", ["detected", "terminated", "blocked"])) +|| (contains("log.message", "IPS") && contains("log.message", "signature") && contains("log.message", ["matched", "triggered", "detected"])) +|| oneOf("log.action", ["ips_alert", "ids_alert", "threat_detected"]) +', '2026-02-09 16:30:28.342799', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (89, 'ARP Poisoning Attack Detection', 3, 3, 2, 'Credential Access, Collection', 'T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning', 'Detects potential ARP poisoning attacks by monitoring for invalid ARP packets, DHCP snooping violations, and gratuitous ARP abuse. These attacks can enable man-in-the-middle attacks by corrupting the ARP cache of network devices and redirecting network traffic through an attacker-controlled system. + +Next Steps: +1. Identify the source MAC and IP addresses involved in the suspicious ARP activity +2. Check if the source device is authorized to be on the network segment +3. Review DHCP snooping and dynamic ARP inspection logs for additional violations +4. Verify if legitimate network changes (new devices, IP changes) may have triggered the alert +5. If confirmed malicious, immediately isolate the affected switch port and investigate the compromised device +6. Review network traffic for signs of data interception, credential harvesting, or traffic redirection +7. Update switch security configurations (enable port security, DHCP snooping, DAI if not already enabled) +8. Consider implementing additional network segmentation to limit attack impact +', '["https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html","https://attack.mitre.org/techniques/T1557/002/"]', '(equals("log.facility", "SW_DAI") && oneOf("log.facilityMnemonic", ["INVALID_ARP", "DHCP_SNOOPING_DENY", "ACL_DENY"])) +|| (equals("log.facility", "IP") && oneOf("log.facilityMnemonic", ["DUPADDR", "SOURCEGUARD"])) +|| contains("log.message", ["invalid arp", "arp inspection drop", "dhcp snooping deny", "gratuitous arp", "arp reply not request", "duplicate ip address", "IP source guard deny", "arp packet validation failed"]) +|| (lessOrEqual("log.severity", 3) && contains("log.message", ["arp spoofing", "arp poison", "man in the middle"])) +', '2026-02-09 16:30:28.510824', true, false, 'origin', null, '[{"indexPattern":"v11-log-cisco-switch-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":5}]', '["adversary.ip","adversary.mac"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (90, 'MAC Address Spoofing Detection', 2, 3, 1, 'Initial Access', 'MAC Spoofing', 'Detects potential MAC address spoofing attempts by monitoring for MAC address flapping between ports, duplicate MAC addresses, or MAC addresses appearing on unexpected ports. This could indicate an attacker attempting to impersonate legitimate devices. + +Next Steps: +1. Identify the affected MAC address and ports involved in the flapping +2. Check if the MAC address belongs to a legitimate device that may be moving between ports +3. Review switch logs for any unauthorized configuration changes +4. Verify if port security or dynamic ARP inspection is properly configured +5. Investigate the source device and check for signs of ARP spoofing tools +6. Consider implementing port security to limit MAC addresses per port +7. Enable DHCP snooping and dynamic ARP inspection if not already configured +', '["https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html","https://attack.mitre.org/techniques/T1200/"]', '(equals("log.facility", "SW_MATM") && equals("log.facilityMnemonic", "MACFLAP_NOTIF")) +|| (equals("log.facility", "SW_DAI") && oneOf("log.facilityMnemonic", ["INVALID_ARP", "DHCP_SNOOPING_DENY"])) +|| regexMatch("log.message", "(?i)(mac.*flap|duplicate.*mac|mac.*move.*between.*port)") +|| regexMatch("log.message", "(?i)(Host [0-9a-fA-F:.]+.*is flapping between port)") +|| (lessOrEqual("log.severity", 4) && regexMatch("log.message", "(?i)(mac.*address.*conflict|duplicate.*address.*detected)")) +', '2026-02-09 16:30:28.645936', true, false, 'origin', null, '[{"indexPattern":"v11-log-cisco-switch-*","with":[{"field":"origin.mac","operator":"filter_term","value":"{{origin.mac}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.mac"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (112, 'Azure AD Anomalous Token Detection', 3, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects Azure Identity Protection alerts for anomalous tokens with unusual lifetime, unfamiliar locations, or other suspicious properties. These indicate potential token theft or manipulation. + +Next Steps: +1. Review the token properties that triggered the anomaly detection +2. Check the user''s recent sign-in activity for suspicious patterns +3. Verify the source IP and device used for the authentication +4. Check for impossible travel or unfamiliar location patterns +5. If compromise is suspected, revoke all refresh tokens for the user +6. Force MFA re-registration if MFA token was compromised +7. Review conditional access policies for token protection gaps +', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1528/"]', 'contains("log.operationName", "Anomalous Token") || +(contains("log.properties", "riskEventType") && contains("log.properties", "anomalousToken")) +', '2026-02-09 16:31:14.845619', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (91, 'Multiple Failed VPN Authentication Attempts', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects multiple failed VPN authentication attempts from the same source IP address, which could indicate a brute force attack or password guessing attempt against VPN credentials. + +Next Steps: +- Review the source IP address and check if it is known or authorized +- Check for successful authentication attempts from the same IP after failed attempts +- Verify if the targeted user accounts exist and are active +- Consider temporarily blocking the source IP if attack continues +- Review VPN access logs for any unusual patterns or other indicators +- Contact the user if the IP is associated with a legitimate user to verify activity +', '["https://attack.mitre.org/techniques/T1110/","https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html"]', '(equals("log.messageId", "113015") || + equals("log.messageId", "113021") || + equals("log.messageId", "109034") || + equals("log.messageId", "611102")) && +exists("origin.ip") && +(regexMatch("log.reason", "(?i)(invalid|failed|rejected|authentication)") || + regexMatch("log.message", "(?i)(authentication.*failed|invalid.*password)")) +', '2026-02-09 16:30:28.806480', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"113015"}],"or":[{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"113021"}],"or":null,"within":"now-15m","count":10},{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"109034"}],"or":null,"within":"now-15m","count":10},{"indexPattern":"v11-log-firewall-cisco-asa-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.messageId","operator":"filter_term","value":"611102"}],"or":null,"within":"now-15m","count":10}],"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (92, 'VLAN Hopping Attack Detection', 3, 3, 2, 'Defense Evasion', 'T1599 - Network Boundary Bridging', 'Detects potential VLAN hopping attacks through switch spoofing or double tagging. Monitors for DTP negotiation attempts, trunk port changes, or multiple VLAN tags that could indicate an attacker trying to gain unauthorized access to other VLANs. + +Next Steps: +1. Immediately identify the affected switch port and connected device +2. Review switch configuration for DTP enabled ports and disable where not needed +3. Check trunk port configurations and ensure proper native VLAN settings +4. Verify VLAN access lists and ensure proper segmentation +5. Investigate the source MAC address for any previous suspicious activity +6. Review network topology to assess potential lateral movement paths +7. Consider implementing VLAN ACLs or private VLANs for additional protection +8. Document the incident and update switch hardening procedures +', '["https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html","https://attack.mitre.org/techniques/T1599/"]', '(equals("log.facility", "SW_VLAN") && oneOf("log.facilityMnemonic", ["VLAN_INCONSISTENCY", "MACFLAP_NOTIF", "TRUNK_MODE_CHANGE"])) +|| (equals("log.facility", "DTP") && oneOf("log.facilityMnemonic", ["NONTRUNKPORTON", "DOMAINMISMATCH", "TRUNKPORTON"])) +|| regexMatch("log.message", "(?i)(received 802.1Q BPDU on non trunk|native vlan mismatch|inconsistent vlan|double tag)") +|| (lessOrEqual("log.severity", 4) && regexMatch("log.message", "(?i)(vlan.*tag.*tag|switch.*spoofing|dtp.*negotiation)")) +', '2026-02-09 16:30:29.021128', true, false, 'origin', null, '[]', '["adversary.ip","adversary.mac"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (93, 'Advanced Malware Protection (AMP) Alert Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects when Cisco Firepower Advanced Malware Protection (AMP) identifies malware or malicious files, including retrospective detections and high threat score files. This rule triggers on various malware dispositions including confirmed malware, custom detections, retrospective malware (files later identified as malicious), and files with high threat scores (>=70). + +Next Steps: +1. Identify the affected host using the origin.ip and log.deviceName fields +2. Review the file hash (log.sha256) in threat intelligence databases +3. Check if the malware was successfully blocked or if remediation is needed +4. Look for lateral movement attempts from the affected host +5. Verify if other hosts accessed the same malicious file +6. Consider isolating the affected system if malware execution is confirmed +7. Review the file trajectory to understand the infection vector +8. Update endpoint protection rules to prevent similar infections +', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_malware_events_and_network_file_trajectory.html","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.eventType", "MALWARE_EVENT") && +(equals("log.disposition", "MALWARE") || + equals("log.disposition", "CUSTOM_DETECTION") || + equals("log.disposition", "RETROSPECTIVE_MALWARE") || + greaterOrEqual("log.threatScore", 70)) +', '2026-02-09 16:30:29.155770', true, false, 'origin', null, '[]', '["lastEvent.log.sha256","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (94, 'Intrusion Prevention System High Priority Events', 3, 3, 3, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects high priority IPS events from Cisco Firepower indicating potential exploitation attempts, zero-day attacks, or critical vulnerabilities being targeted. These events represent immediate threats that require urgent investigation. + +Next Steps: +1. Immediately isolate the affected system if the attack was successful +2. Review the specific signature ID and classification to understand the attack vector +3. Check if the target system shows signs of compromise (unusual processes, network connections, file modifications) +4. Analyze firewall logs to determine if the attack was blocked or if any malicious traffic passed through +5. Search for similar attempts from the same source IP across other systems +6. Update IPS signatures and ensure all systems are patched against the exploited vulnerability +7. Consider blocking the source IP if it shows persistent malicious behavior +8. Document the incident and update security controls based on findings +', '["https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/intrusion-overview.html","https://attack.mitre.org/techniques/T1203/"]', 'equals("log.eventType", "IPS_EVENT") && +(equals("log.priority", 1) || + lessOrEqual("log.severity", 2) || + equals("log.impact", "HIGH") || + contains("log.classification", "attempted-admin") || + contains("log.classification", "attempted-user") || + contains("log.classification", "web-application-attack") || + contains("log.classification", "exploit-kit")) +', '2026-02-09 16:30:29.271077', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (101, 'Meraki Client VPN Brute Force Attempts', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects multiple failed client VPN authentication attempts from the same source IP on Meraki MX appliances, indicating potential brute force attacks against VPN credentials. + +Next Steps: +1. Review the source IP address and check geographic location +2. Verify if the targeted user account exists and is active +3. Check for any successful VPN connections from the same IP +4. Consider blocking the source IP at the MX appliance +5. Review VPN authentication settings and ensure MFA is enabled +6. Notify the targeted user if the account is legitimate +', '["https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview","https://attack.mitre.org/techniques/T1110/"]', '(oneOf("log.eventType", ["vpn_auth_failure", "client_vpn_auth_failure"]) || + (contains("log.message", "VPN") && contains("log.message", ["auth fail", "authentication failed", "invalid credentials"]))) && +exists("origin.ip") +', '2026-02-09 16:30:30.391049', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-meraki-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (95, 'Firepower IOC (Indicator of Compromise) Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects when Firepower identifies an Indicator of Compromise (IOC), indicating a host may be infected with malware or compromised. IOCs can include file hashes, malware signatures, or behavioral patterns that suggest malicious activity. + +Next Steps: +1. Immediately isolate the affected host from the network to prevent lateral movement +2. Review the specific IOC details including threat name, SHA256 hash, and file path +3. Search for the same IOC across other endpoints in your environment +4. Check if the affected host has made any suspicious network connections recently +5. Collect memory dumps and disk images for forensic analysis if required +6. Review user activity logs to identify potential initial compromise vector +7. Update antivirus signatures and threat intelligence feeds with new IOC data +8. Perform deep scan of the affected system and related network segments +9. Consider reimaging the affected system after complete evidence collection +10. Update security controls to prevent similar future compromises +', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_malware_events_and_network_file_trajectory.html","https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1566/"]', '(equals("log.eventType", "AMP_IOC") || equals("log.eventType", "IOC_DETECTED") || contains("log.message", "indication of compromise") || contains("log.message", "IOC")) && exists("origin.ip") && (exists("log.threatName") || exists("log.sha256") || exists("log.fileName"))', '2026-02-09 16:30:29.425739', true, false, 'origin', null, '[]', '["adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (96, 'Threat Intelligence Director (TID) Alert Detection', 3, 3, 2, 'Command and Control', 'T1071.001 - Application Layer Protocol: Web Protocols', 'Detects when Cisco Firepower Threat Intelligence Director identifies connections to known malicious indicators including IPs, domains, URLs, and SHA256 hashes from threat feeds. This rule triggers when TID blocks or would block connections based on threat intelligence matches with high confidence scores. + +Next Steps: +- Immediately isolate the affected system if the connection was not blocked +- Review the specific threat indicator (IP/domain/URL/hash) that triggered the alert +- Check the threat category and score to understand the severity +- Investigate all recent network activity from the source IP address +- Search for similar indicators across other systems in the network +- Review endpoint logs for signs of malware or suspicious processes +- If a file hash triggered the alert, locate and quarantine the file +- Check if other systems have communicated with the same malicious indicator +- Update firewall rules to ensure the indicator is blocked network-wide +- Report the incident to the security team for further investigation +', '["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/tid_overview.html","https://attack.mitre.org/techniques/T1071/"]', 'equals("log.eventType", "TID_EVENT") && +(equals("log.action", "BLOCK") || + equals("log.action", "WOULD_BLOCK") || + exists("log.tidIndicatorType")) && +(exists("log.tidCategory") || + greaterOrEqual("log.threatScore", 80)) +', '2026-02-09 16:30:29.586003', true, false, 'origin', null, '[]', '["lastEvent.log.tidIndicator","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (97, 'Command and Control on Non-Standard Ports', 3, 2, 1, 'Command and Control', 'T1571 - Non-Standard Port', 'Detects connections on non-standard ports that may indicate command and control (C2) communication. Identifies HTTP traffic on non-HTTP ports, encrypted traffic on unexpected ports, and application protocol mismatches detected by Firepower''s application identification engine. + +Next Steps: +1. Investigate the internal host initiating the suspicious connection +2. Review the destination IP against threat intelligence feeds +3. Analyze the application identification results for protocol anomalies +4. Check if the destination port is commonly used for C2 frameworks +5. Examine the connection duration and data transfer patterns +6. Consider blocking the destination IP and scanning the internal host +', '["https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/connection-log-fields.html","https://attack.mitre.org/techniques/T1571/"]', 'exists("log.appProto") && +exists("origin.ip") && +exists("target.ip") && +((contains("log.appProto", "HTTP") && !oneOf("target.port", [80, 443, 8080, 8443, 8000, 8888])) || + (contains("log.appProto", "SSL") && !oneOf("target.port", [443, 8443, 993, 995, 465, 636])) || + equals("log.appProto", "unknown-tcp")) && +equals("log.initiatorPackets", true) +', '2026-02-09 16:30:29.766810', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-cisco-firepower-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.ip","operator":"filter_term","value":"{{target.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","target.ip","target.port"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (98, 'Meraki Advanced Malware Protection Alert', 3, 3, 2, 'Execution', 'T1204.002 - User Execution: Malicious File', 'Detects when Meraki Advanced Malware Protection (AMP) identifies malicious files being downloaded or executed on the network. This includes retrospective alerts where files previously considered safe are later identified as malicious. + +Next Steps: +1. Immediately isolate the affected system(s) from the network to prevent lateral movement +2. Review the malware details including file hash, name, and threat severity in the Meraki dashboard +3. Check if the malicious file was executed or only downloaded +4. Scan other systems for the same file hash to identify additional infections +5. Review network traffic logs from the affected IP for suspicious communications +6. If file was executed, perform full system scan and consider reimaging the affected device +7. Update endpoint protection signatures and ensure all systems are patched +8. Document the incident and update security policies if needed +', '["https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protection_(AMP)","https://attack.mitre.org/techniques/T1204/002/"]', 'equals("log.eventType", "security_event") && +(contains("log.message", "malware") || + contains("log.message", "AMP") || + contains("log.message", "malicious") || + equals("log.action", "malware_blocked") || + contains("log.eventName", "Advanced Malware Protection")) && +exists("origin.ip") +', '2026-02-09 16:30:29.926286', true, false, 'origin', null, '[]', '["adversary.hostname","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (99, 'Air Marshal Rogue Access Point Detection', 3, 3, 2, 'Initial Access', 'T1200 - Hardware Additions', 'Detects when Meraki Air Marshal identifies rogue access points or unauthorized SSIDs in the wireless environment. This could indicate malicious wireless infrastructure attempting to intercept traffic or perform man-in-the-middle attacks. + +Next Steps: +1. Verify if the detected BSSID and SSID are known legitimate access points that may not be properly registered +2. Check the RSSI value to determine proximity - higher values indicate the rogue AP is closer to your infrastructure +3. Use wireless scanning tools to physically locate the rogue access point using the BSSID +4. Review network traffic logs for any suspicious connections to unknown wireless networks +5. Check if any sensitive data might have been exposed through connections to the rogue AP +6. Consider implementing MAC address filtering or 802.1X authentication to prevent unauthorized connections +7. Document the incident and update the wireless security policy if needed +', '["https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal","https://attack.mitre.org/techniques/T1200/"]', 'equals("log.eventType", "airmarshal_events") && +equals("log.type", "rogue_ssid_detected") && +exists("log.bssid") && +greaterOrEqual("log.rssi", -50) +', '2026-02-09 16:30:30.091477', true, false, 'origin', null, '[]', '["adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (102, 'Evil Twin Access Point Detection', 3, 3, 1, 'Wireless Security', 'T1557 - Adversary-in-the-Middle', 'Detects evil twin attacks where a rogue access point mimics a legitimate corporate SSID to intercept wireless traffic. Meraki Air Marshal identifies spoofed SSIDs that match corporate network names but originate from unauthorized hardware. + +Next Steps: +1. Verify the detected SSID against authorized access point inventory +2. Check the BSSID (MAC address) against known Meraki access points +3. Use Air Marshal containment features to prevent client connections +4. Physically locate the rogue AP using signal strength triangulation +5. Check if any clients have connected to the rogue AP +6. Review network traffic from affected clients for signs of credential theft +', '["https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal","https://attack.mitre.org/techniques/T1557/"]', 'equals("log.eventType", "airmarshal_events") && +(equals("log.type", "ssid_spoofing") || + equals("log.type", "rogue_ssid_detected") || + (contains("log.message", "SSID Spoofing") || contains("log.message", "Evil Twin"))) && +exists("log.bssid") +', '2026-02-09 16:30:30.561264', true, false, 'origin', null, '[]', '["lastEvent.log.bssid","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (103, 'Rogue SSID Detection', 3, 3, 2, 'Initial Access', 'T1200 - Hardware Additions', 'Detects when a rogue SSID is identified in the wireless environment. This could indicate an evil twin attack or unauthorized access point deployment attempting to intercept wireless traffic or credentials. + +Next Steps: +1. Immediately investigate the rogue access point''s physical location using the MAC address +2. Check if the rogue SSID name matches legitimate corporate SSIDs (potential evil twin attack) +3. Verify if the rogue AP is broadcasting from an unauthorized location +4. Review wireless client connection logs for any devices that may have connected to the rogue SSID +5. Consider performing a physical sweep of the area to locate and remove the unauthorized device +6. Update wireless intrusion detection policies if needed +7. Notify security team and facilities management for potential physical security breach +', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1200/"]', 'equals("log.eventType", "rogue_ssid_detected") || +(equals("log.type", "airmarshal_events") && + equals("log.subtype", "rogue_ssid_detected")) || +(contains("log.message", "rogue") && + contains("log.message", "SSID")) +', '2026-02-09 16:30:30.715429', true, false, 'origin', null, '[]', '["adversary.mac"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (104, 'Wireless Intrusion Attempts', 3, 3, 2, 'Reconnaissance', 'T1595.002 - Active Scanning: Vulnerability Scanning', 'Detects wireless intrusion attempts including deauthentication attacks, association floods, and other wireless-specific attack patterns that could compromise the wireless network integrity. + +Next Steps: +1. Review the wireless access point logs for the affected device +2. Identify the source MAC address and physical location if possible +3. Check for unauthorized devices or rogue access points in the vicinity +4. Verify wireless security configurations and update if necessary +5. Consider implementing additional wireless monitoring and detection capabilities +6. Document the incident and update security policies if needed +', '["https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples","https://attack.mitre.org/techniques/T1595/002/"]', 'equals("log.eventType", "wids_alerted") || +(equals("log.type", "airmarshal_events") && + (contains("log.subtype", "attack") || + contains("log.subtype", "flood") || + contains("log.subtype", "deauth"))) || +(contains("log.message", "deauthentication attack") || + contains("log.message", "association flood") || + contains("log.message", "wireless intrusion")) +', '2026-02-09 16:30:30.871093', true, false, 'origin', '["adversary.ip","target.mac"]', '[]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (105, 'Azure AKS Container Security Threat Detection', 3, 3, 2, 'Execution', 'T1610 - Deploy Container', 'Detects suspicious container operations in Azure Kubernetes Service (AKS) including privileged pod creation, container exec commands, and potential container escape attempts. These activities may indicate an attacker attempting to deploy malicious workloads or escape container isolation. + +Next Steps: +1. Review the Kubernetes audit logs for the specific pod or container operation +2. Check if the container image is from an approved registry +3. Verify the service account and RBAC permissions used for the operation +4. Examine pod security context for privileged flags, host network, or host PID access +5. Review the container command for suspicious payloads or reverse shells +6. If unauthorized, delete the pod and investigate the cluster for further compromise +7. Implement Azure Policy for AKS to enforce pod security standards +8. Enable Microsoft Defender for Containers for runtime protection +', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction","https://attack.mitre.org/techniques/T1610/"]', '(contains("log.operationName", "Microsoft.ContainerService") || + contains("log.operationName", "MICROSOFT.KUBERNETES")) && +(contains("log.operationName", "write") || + contains("log.operationName", "create") || + contains("log.operationName", "exec")) && +equals("log.resultType", "Success") +', '2026-02-09 16:31:13.707278', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.operationName","operator":"filter_match","value":"Container"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.operationName","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (106, 'Azure AD App Registration with High-Privilege API Permissions', 3, 3, 1, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects creation of new Azure AD application registrations which may be used to establish persistence with high-privilege API permissions. Attackers create app registrations with permissions like Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory to maintain access. + +Next Steps: +1. Review the application registration and its requested API permissions +2. Verify the creator has authorization to register applications +3. Check if admin consent was granted for the application''s permissions +4. Review the application''s redirect URIs for suspicious external domains +5. Examine the application''s credential types (secrets, certificates) +6. If unauthorized, delete the application registration and revoke any granted consents +7. Implement app registration policies to restrict who can create applications +8. Enable admin consent workflow for application permission requests +', '["https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals","https://attack.mitre.org/techniques/T1098/001/"]', '(contains("log.operationName", "Add application") || + contains("log.operationName", "Add service principal") || + contains("log.operationName", "Consent to application")) && +equals("log.categoryValue", "Administrative") +', '2026-02-09 16:31:13.876574', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"log.categoryValue","operator":"filter_term","value":"Administrative"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (107, 'Application Gateway WAF Security Alerts', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects Web Application Firewall alerts from Azure Application Gateway indicating potential web attacks or malicious activity. This rule triggers when WAF blocks or detects suspicious requests that match security rules. + +**Next Steps:** +1. Review the specific WAF rule ID and message details to understand the attack type +2. Analyze the source IP address for reputation and geographic location +3. Examine the request URL, headers, and payload for attack indicators +4. Check for additional requests from the same source IP within the time window +5. Verify if this is a legitimate application behavior or actual attack attempt +6. Consider implementing additional WAF rules or IP blocking if confirmed malicious +7. Review application logs for any successful bypass attempts +', '["https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs","https://attack.mitre.org/techniques/T1190/"]', '(equals("log.operationName", "ApplicationGatewayFirewallLog") || equals("log.type", "ApplicationGatewayFirewallLog")) && +equals("log.action", "Blocked") && +exists("log.ruleId") +', '2026-02-09 16:31:14.041368', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":5}]', '["lastEvent.log.ruleId","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (108, 'Azure AD Impossible Travel Sign-In Detection', 3, 2, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects Azure AD sign-ins flagged as risky due to impossible travel, anonymous IP usage, or unfamiliar locations. These risk detections indicate potential credential compromise when a user authenticates from geographically impossible locations or through anonymizing services. + +Next Steps: +1. Review the sign-in details including IP addresses and geographic locations +2. Check if the user employs VPN services that could explain different locations +3. Verify with the user whether the sign-in attempts are legitimate +4. Review the risk level and risk detail provided by Azure AD Identity Protection +5. Check for MFA challenges and their outcomes during the sign-in +6. If compromised, immediately reset user credentials and revoke active sessions +7. Enable Conditional Access policies requiring MFA for risky sign-ins +8. Review Azure AD sign-in logs for other accounts from the same suspicious IPs +', '["https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Sign-in activity") && +(equals("log.properties.riskLevelDuringSignIn", "high") || + equals("log.properties.riskState", "atRisk") || + contains("log.properties.riskEventTypes", "impossibleTravel") || + contains("log.properties.riskEventTypes", "anonymizedIPAddress")) +', '2026-02-09 16:31:14.200933', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (109, 'Azure Automation Runbook Abuse', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects creation or modification of Azure Automation runbooks which can be abused for code execution with managed identity privileges. Attackers may create runbooks to execute arbitrary code, establish persistence, or perform lateral movement using the automation account''s managed identity. + +Next Steps: +1. Review the runbook content for malicious scripts or commands +2. Verify the automation account''s managed identity permissions +3. Check the user creating or modifying the runbook has authorization +4. Review the runbook schedule for unauthorized execution times +5. Examine the runbook''s Run As account credentials +6. If unauthorized, disable the runbook and revoke the automation account''s permissions +7. Review execution history for already-executed malicious runbooks +8. Implement RBAC to restrict automation account management +', '["https://learn.microsoft.com/en-us/azure/automation/automation-runbook-types","https://attack.mitre.org/techniques/T1059/"]', 'contains("log.operationName", "Microsoft.Automation") && +(contains("log.operationName", "runbooks/write") || + contains("log.operationName", "runbooks/publish") || + contains("log.operationName", "jobs/write") || + contains("log.operationName", "schedules/write")) && +equals("log.resultType", "Success") +', '2026-02-09 16:31:14.375401', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (110, 'Azure AD Password Spray Attack Detection', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Detects password spray attacks against Azure AD by correlating failed sign-in attempts across multiple usernames from the same source IP within a short time window. Password spraying tries common passwords against many accounts to avoid account lockout thresholds. + +Next Steps: +1. Identify the source IP and check threat intelligence feeds for known malicious sources +2. Review the list of targeted user accounts for patterns (executives, admins, service accounts) +3. Check if any of the targeted accounts subsequently had successful logins +4. Verify that account lockout policies are properly configured +5. Block the source IP at the network level if confirmed malicious +6. Enable Azure AD Smart Lockout for brute force protection +7. Implement Conditional Access policies requiring MFA +8. Review password policies and enforce complexity requirements +', '["https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1110/"]', 'contains("log.operationName", "Sign-in activity") && +(equals("log.properties.status.errorCode", "50126") || + equals("log.properties.status.errorCode", "50053") || + equals("log.properties.status.errorCode", "50057")) && +exists("origin.ip") +', '2026-02-09 16:31:14.526597', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.properties.status.errorCode","operator":"filter_match","value":"5005"}],"or":null,"within":"now-15m","count":15}]', '["lastEvent.log.operationName","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (111, 'Azure Security Alert Suppression Rule Created', 2, 3, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Detects creation of alert suppression rules in Azure Defender / Microsoft Defender for Cloud. Attackers create suppression rules to hide security alerts generated by their activities. + +Next Steps: +1. Review the suppression rule and what alert types it suppresses +2. Verify the rule creation was part of an authorized security operations workflow +3. Check the user identity for legitimate security team membership +4. Review recent security alerts that may have been suppressed +5. If unauthorized, delete the suppression rule and review suppressed alerts +6. Check for other defense evasion activities from the same user +', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules","https://attack.mitre.org/techniques/T1562/"]', 'regexMatch("log.operationName", "(?i)MICROSOFT\\.SECURITY/ALERTSSUPPRESSIONRULES/WRITE") +', '2026-02-09 16:31:14.687510', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (136, 'Azure Service Principal Credentials Added', 3, 3, 2, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when new credentials (certificates or secrets) are added to Azure service principals through Azure AD/Entra ID Audit Logs. + +**Security Context:** +Adversaries may add credentials to service principals to maintain persistent access to victim Azure accounts. By hijacking an application with granted permissions through adding rogue secrets or certificates, attackers can access protected data and bypass MFA requirements. This technique is commonly used after initial compromise to establish long-term persistence. + +**Detection Logic:** +This rule monitors AuditLogs for successful "Add service principal" operations, which indicate new credentials being added to service principals. The operation captures both certificate and secret additions. + +**Investigation Steps:** +1. Identify the actor who added the credentials: Check log.propertiesInitiatedBy for the user or service principal +2. Review the target service principal: Examine log.propertiesTargetResources for the affected service principal name and ID +3. Verify if the action was authorized: Correlate with change management tickets +4. Check service principal permissions: Review what resources this service principal can access +5. Examine recent sign-in activity: Look for unusual authentication patterns using the service principal +6. Review credential type: Determine if a certificate or secret was added via log.propertiesModifiedProperties + +**Recommended Actions:** +- If unauthorized, immediately revoke the newly added credentials +- Review and rotate all credentials for the affected service principal +- Audit all resources accessible by the service principal for signs of compromise +- Enable alerts for future credential additions to critical service principals +- Implement conditional access policies and privileged identity management + +**MITRE ATT&CK Reference:** T1098.001 - Account Manipulation: Additional Cloud Credentials + +**Azure Documentation:** +- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs +- Service Principal credentials: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal +', '["https://attack.mitre.org/techniques/T1098/001/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"]', 'equalsIgnoreCase("log.category", "AuditLogs") && +contains("log.operationName", "Add service principal") && +(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS")) +', '2026-02-09 16:31:18.565801', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (113, 'Azure AD Application Credential Added', 3, 3, 2, 'Persistence', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when new certificates or client secrets are added to Azure AD application registrations. This is the primary Azure AD persistence technique - attackers add credentials to existing apps to maintain access even after password resets. + +Next Steps: +1. Verify the credential addition was authorized by the application owner +2. Identify the application and its permissions (especially Graph API permissions) +3. Check the user identity adding the credential for legitimacy +4. Review the credential type (certificate vs secret) and expiration +5. Check for subsequent sign-ins using the new application credential +6. If unauthorized, remove the credential and rotate all app secrets +7. Review the application''s API permissions for excessive access +', '["https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal","https://attack.mitre.org/techniques/T1098/001/"]', 'oneOf("log.operationName", ["Add service principal credentials", "Update application - Certificates and secrets management"]) || +(contains("log.operationName", "application") && contains("log.properties", "KeyCredentials")) +', '2026-02-09 16:31:14.980999', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (114, 'Azure AD Privileged App Role Assignment', 3, 3, 2, 'Privilege Escalation', 'T1098.003 - Account Manipulation: Additional Cloud Roles', 'Detects privileged app role assignments to service principals in Azure AD, which is the mechanism used in illicit consent grant attacks. Attackers create or modify applications with high-privilege API permissions to access organizational data. + +Next Steps: +1. Review the application and the specific API permissions granted +2. Verify the consent was authorized by a legitimate administrator +3. Check if the application is known and trusted +4. Review the application publisher and redirect URIs +5. Check for data access using the application''s permissions +6. If unauthorized, remove the role assignment and revoke application consent +7. Review and restrict user consent settings in Azure AD +', '["https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals","https://attack.mitre.org/techniques/T1098/003/"]', 'contains("log.operationName", "Add app role assignment to service principal") || +(contains("log.operationName", "Consent to application") && contains("log.properties", "AppRoleAssignment")) +', '2026-02-09 16:31:15.125869', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (115, 'AzureHound Reconnaissance Tool Detected', 2, 1, 0, 'Discovery', 'T1087.004 - Account Discovery: Cloud Account', 'Detects AzureHound user agent in Azure AD sign-in logs. AzureHound is the Azure AD data collector for BloodHound, used to enumerate all users, groups, roles, apps, and relationships in the tenant for attack path analysis. + +Next Steps: +1. Identify the user account running AzureHound +2. Determine if this is an authorized security assessment +3. Review the scope of data collected (users, groups, roles, apps) +4. Check for lateral movement or privilege escalation following the enumeration +5. If unauthorized, revoke the user''s tokens and investigate +6. Review API permissions that allowed the enumeration +7. Consider implementing Graph API rate limiting or monitoring +', '["https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html","https://attack.mitre.org/techniques/T1087/004/"]', 'contains("log.properties", "azurehound") || +contains("log.properties", "AzureHound") +', '2026-02-09 16:31:15.285862', true, false, 'origin', '["adversary.user","adversary.ip"]', '[]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (116, 'Azure AD Device Code Authentication Flow Detected', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects OAuth device code flow authentication in Azure AD. Device code phishing is a growing attack vector where attackers trick users into authenticating on a device the attacker controls, granting the attacker access tokens. + +Next Steps: +1. Verify the device code authentication was initiated by the user on a legitimate device +2. Check the application requesting the device code for legitimacy +3. Review the source IP where the token was redeemed +4. Check for subsequent suspicious activities using the obtained token +5. If unauthorized, revoke the session and all refresh tokens +6. Consider blocking device code flow via conditional access policies +7. Educate users about device code phishing attacks +', '["https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code","https://attack.mitre.org/techniques/T1078/"]', '(contains("log.properties", "deviceCode") && contains("log.operationName", "Sign-in")) || +contains("log.properties", "urn:ietf:params:oauth:grant-type:device_code") +', '2026-02-09 16:31:15.446209', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (117, 'Azure Disk Snapshot Exfiltration', 3, 2, 1, 'Data Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Detects Azure disk snapshot operations that could be used for data exfiltration, including sharing snapshots across subscriptions, generating SAS URIs for download, or copying snapshots to external storage accounts. + +Next Steps: +1. Identify the disk snapshot and the virtual machine it was taken from +2. Review the target location or account where the snapshot is being shared +3. Verify the operator has authorization for cross-subscription snapshot operations +4. Check if a SAS URI was generated that could allow external download +5. Review the data sensitivity of the affected virtual machine''s disk +6. If unauthorized, revoke any generated SAS tokens and delete shared snapshots +7. Implement Azure Policy to restrict snapshot sharing across subscriptions +8. Enable diagnostic logging for disk operations +', '["https://learn.microsoft.com/en-us/azure/virtual-machines/disks-incremental-snapshots","https://attack.mitre.org/techniques/T1537/"]', '(contains("log.operationName", "Microsoft.Compute/snapshots") || + contains("log.operationName", "Microsoft.Compute/disks")) && +(contains("log.operationName", "beginGetAccess") || + contains("log.operationName", "export")) && +equals("log.resultType", "Success") +', '2026-02-09 16:31:15.591151', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (118, 'Azure AD Bulk Privileged Role Assignment Changes', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects mass privileged role assignment changes in Azure AD. Multiple role assignments in a short time window indicate an attacker rapidly escalating privileges across multiple accounts for persistence and lateral movement. + +Next Steps: +1. Review all role assignments made in the burst +2. Identify the admin account making the changes +3. Check if these changes were part of an approved onboarding or migration +4. Review the specific roles assigned (Global Admin, Exchange Admin, etc.) +5. If unauthorized, revert all role assignments and investigate the admin account +6. Enable Azure PIM for just-in-time role activation +', '["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.operationName", "Add member to role") || +contains("log.operationName", "Add eligible member to role") +', '2026-02-09 16:31:15.727148', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":10}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (119, 'Azure AD Impossible Travel Sign-In', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects Azure Identity Protection impossible travel alerts where a user signs in from geographically distant locations in a timeframe that makes physical travel impossible. This strongly indicates credential theft or session hijacking. + +Next Steps: +1. Contact the user to verify both sign-in locations +2. Check if a VPN or proxy could explain the geolocation discrepancy +3. Review the sign-in details (device, browser, app) for both locations +4. If unauthorized, force password reset and revoke all sessions +5. Review data access and actions from the suspicious location +6. Enable location-based conditional access policies +7. Check for other users with similar patterns from the same locations +', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Impossible Travel") || +(contains("log.properties", "riskEventType") && contains("log.properties", "impossibleTravel")) +', '2026-02-09 16:31:15.861315', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (120, 'Azure Kubernetes Admission Webhook Modified', 3, 3, 2, 'Persistence', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects creation or modification of MutatingAdmissionWebhook or ValidatingAdmissionWebhook configurations in Azure Kubernetes Service. Attackers use admission controllers to inject malicious containers or modify workload specifications. + +Next Steps: +1. Review the webhook configuration and its target service +2. Verify the webhook was created as part of a legitimate deployment +3. Check the webhook''s namespace selector and object selector +4. Examine what resources the webhook intercepts (pods, deployments, etc.) +5. If unauthorized, delete the webhook and audit all recent pod deployments +6. Review cluster RBAC for excessive admission controller permissions +', '["https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") && +(contains("log.properties", "MutatingWebhookConfiguration") || contains("log.properties", "ValidatingWebhookConfiguration")) && +(contains("log.properties", "create") || contains("log.properties", "update") || contains("log.properties", "patch")) +', '2026-02-09 16:31:16.010841', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (121, 'Azure Kubernetes Secret Write or Delete', 3, 3, 2, 'Credential Access', 'T1552.007 - Unsecured Credentials: Container API', 'Detects write or delete operations on Kubernetes Secrets in Azure Kubernetes Service. Secrets contain sensitive data like service account tokens, TLS certificates, and database credentials. Unauthorized access indicates potential credential theft or data tampering. + +Next Steps: +1. Identify the user or service account accessing the secrets +2. Review which secrets were accessed, modified, or deleted +3. Check if the operation was part of a legitimate deployment workflow +4. Audit the RBAC permissions of the identity performing the action +5. If unauthorized, rotate all affected secrets immediately +6. Review pod specifications for secrets mounted as volumes or environment variables +', '["https://kubernetes.io/docs/concepts/configuration/secret/","https://attack.mitre.org/techniques/T1552/007/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") && +contains("log.properties", "secrets") && +(contains("log.properties", "create") || contains("log.properties", "update") || contains("log.properties", "delete") || contains("log.properties", "patch")) +', '2026-02-09 16:31:16.165946', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":5}]', '["lastEvent.log.resourceId","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (122, 'Azure Kubernetes Events Deleted', 1, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects deletion of Kubernetes events in Azure Kubernetes Service (AKS). Attackers delete events to cover traces of their activities within the cluster. + +Next Steps: +1. Identify the user or service account that deleted the events +2. Check for other suspicious Kubernetes operations from the same identity +3. Review AKS audit logs for activities that occurred before the event deletion +4. Verify if this was part of a legitimate cluster maintenance operation +5. If unauthorized, investigate the cluster for signs of compromise +6. Review RBAC policies to restrict event deletion permissions +', '["https://learn.microsoft.com/en-us/azure/aks/monitor-aks","https://attack.mitre.org/techniques/T1562/001/"]', 'contains("log.operationName", "MICROSOFT.CONTAINERSERVICE") && +(contains("log.properties", "events") && contains("log.properties", "delete")) +', '2026-02-09 16:31:16.326140', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (123, 'Azure AD LAPS Password Recovery', 3, 2, 1, 'Credential Access', 'T1003 - OS Credential Dumping', 'Detects Local Administrator Password Solution (LAPS) password recovery from Entra ID. While LAPS recovery is a legitimate admin operation, excessive or unauthorized recovery attempts indicate credential dumping for lateral movement. + +Next Steps: +1. Verify the user recovering the LAPS password has legitimate need +2. Check the target device and whether the user is responsible for it +3. Review the frequency of LAPS password recoveries by this user +4. Correlate with subsequent RDP or SMB connections to the target device +5. If unauthorized, rotate the LAPS password and investigate the user''s activities +6. Review RBAC for LAPS password read permissions +', '["https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords","https://attack.mitre.org/techniques/T1003/"]', 'contains("log.operationName", "Recover device local administrator password") || +(contains("log.operationName", "Read device local administrator password") && exists("log.properties")) +', '2026-02-09 16:31:16.486258', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":3}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (124, 'Azure AD Federation Settings Modified', 3, 3, 3, 'Credential Access', 'T1556 - Modify Authentication Process', 'Detects modifications to Azure AD domain federation settings. Changing federation configuration is a critical attack technique that enables Golden SAML attacks and domain takeover, allowing attackers to forge authentication tokens for any user. + +Next Steps: +1. Immediately verify the federation modification was authorized +2. Check the user identity and source IP performing the change +3. Review the new federation settings for suspicious IdP configurations +4. Validate the signing certificate in the federation configuration +5. Check for subsequent sign-ins using federated authentication +6. If unauthorized, revert the federation changes and investigate all federated sessions +7. Review all privileged role assignments that occurred after the change +', '["https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.operationName", "Set federation settings on domain") || +(contains("log.operationName", "Set domain authentication") && contains("log.properties", "Federated")) +', '2026-02-09 16:31:16.650983', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (125, 'Azure AD Leaked Credentials Detection', 3, 3, 2, 'Credential Access', 'T1078 - Valid Accounts', 'Detects Azure Identity Protection alerts for leaked credentials found on dark web, paste sites, or other sources. This indicates user credentials have been exposed and may be used for unauthorized access. + +Next Steps: +1. Immediately force a password reset for the affected user +2. Revoke all active sessions and refresh tokens +3. Review recent sign-in activity for unauthorized access +4. Check for any data access or configuration changes after the leak +5. Enable MFA if not already required for the user +6. Investigate how the credentials were leaked (phishing, malware, reuse) +7. Check if the same password was used across other services +', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.operationName", "Leaked Credentials") || +(contains("log.properties", "riskEventType") && contains("log.properties", "leakedCredentials")) +', '2026-02-09 16:31:16.806087', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (126, 'Azure Primary Refresh Token Access Attempt', 3, 3, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects attempts to access the Primary Refresh Token (PRT) in Azure AD. PRT theft is a high-confidence compromise indicator as PRTs provide SSO access across all Azure AD-integrated applications and can be used to bypass conditional access policies. + +Next Steps: +1. Immediately investigate the user account associated with this alert +2. Check the device from which the PRT access was attempted +3. Review sign-in logs for the affected user for anomalous patterns +4. Check for token replay attacks or sessions from unexpected locations +5. If compromise is confirmed, revoke all refresh tokens for the user +6. Re-register the device and force re-authentication +7. Review conditional access policies for PRT-based bypass vulnerabilities +', '["https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token","https://attack.mitre.org/techniques/T1528/"]', 'contains("log.operationName", "Primary Refresh Token") || +(contains("log.properties", "PRT") && contains("log.properties", "access")) +', '2026-02-09 16:31:17.045870', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (127, 'Azure AD Resource Owner Password Credentials Flow Detected', 2, 2, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects use of the Resource Owner Password Credentials (ROPC) OAuth flow in Azure AD. ROPC sends plain-text credentials directly to the token endpoint, bypassing MFA and conditional access. It is commonly abused by attackers for credential stuffing and automated account compromise. + +Next Steps: +1. Identify the application using ROPC flow and verify its legitimacy +2. Check if the application has a legitimate need for ROPC (legacy/headless apps) +3. Review the source IPs making ROPC requests for suspicious patterns +4. Check for high volumes of failed ROPC requests (credential stuffing) +5. Migrate the application to a modern auth flow (authorization code, device code) +6. If unauthorized, block the application and reset affected user passwords +', '["https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.properties", "urn:ietf:params:oauth:grant-type:password") || +(contains("log.operationName", "Sign-in") && contains("log.properties", "ropc")) +', '2026-02-09 16:31:17.186271', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (128, 'Azure AD Password Spray Attack Detected', 3, 2, 1, 'Credential Access', 'T1110.003 - Brute Force: Password Spraying', 'Detects Azure Identity Protection password spray attack signals. Microsoft''s ML-based detection identifies distributed password spray attempts across multiple accounts using common passwords. + +Next Steps: +1. Identify all affected user accounts in the password spray +2. Check if any accounts were successfully compromised +3. Force password resets for all targeted accounts +4. Review source IPs for known attack infrastructure +5. Check for successful sign-ins from the same source IPs +6. Enable smart lockout policies if not already configured +7. Review MFA enforcement across all targeted accounts +', '["https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://attack.mitre.org/techniques/T1110/003/"]', 'contains("log.operationName", "Password Spray") || +(contains("log.properties", "riskEventType") && contains("log.properties", "passwordSpray")) +', '2026-02-09 16:31:17.366393', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (129, 'Azure Sentinel High/Critical Alert Pattern Detection', 3, 3, 2, 'Threat Detection', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects high-severity or critical alerts from Azure Sentinel that may indicate coordinated attack activity or serious security incidents requiring immediate investigation. This rule identifies new alerts with High or Critical severity levels from Microsoft Sentinel that could represent active threats. + +Next Steps: +1. Review the alert details and affected resources immediately +2. Correlate with other security events in the environment +3. Check for signs of lateral movement or privilege escalation +4. Verify if the alert represents a true positive through manual investigation +5. Implement containment measures if attack activity is confirmed +6. Document findings and update incident response procedures +', '["https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema","https://attack.mitre.org/techniques/T1562/"]', 'oneOf("log.AlertSeverity", ["High", "Critical"]) && +equals("log.VendorName", "Microsoft Sentinel") && +equals("log.Status", "New") +', '2026-02-09 16:31:17.531107', true, false, 'origin', null, '[]', '["lastEvent.log.AlertType","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (130, 'Azure AD New Root Certificate Authority Added', 3, 3, 2, 'Persistence', 'T1556 - Modify Authentication Process', 'Detects when a new root certificate authority is added to the TrustedCAsForPasswordlessAuth configuration in Azure AD. Adding a rogue root CA enables persistent passwordless authentication backdoor access. + +Next Steps: +1. Immediately verify the root CA addition was authorized +2. Review the certificate details and issuing authority +3. Check the user identity performing the change +4. Validate the CA against your organization''s known PKI infrastructure +5. If unauthorized, remove the root CA immediately +6. Audit all certificate-based authentications since the CA was added +7. Review Azure AD authentication methods policies +', '["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.operationName", "TrustedCAsForPasswordlessAuth") || +(contains("log.operationName", "Update organization settings") && contains("log.properties", "certificateAuthorities")) +', '2026-02-09 16:31:17.685722', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (190, 'AWS Configuration Recorder Stopped', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies an AWS configuration change to stop recording a designated set of resources', '["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html","https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.eventSource", "config.amazonaws.com") && +equals("log.eventName", "StopConfigurationRecorder") +', '2026-02-09 16:32:22.765665', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (131, 'Azure AD Temporary Access Pass Registration', 3, 2, 1, 'Credential Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects registration of Temporary Access Pass (TAP) in Azure AD. TAPs can be used to bypass MFA requirements and are a growing attack vector for initial access and MFA circumvention. + +Next Steps: +1. Verify the TAP was requested through legitimate channels (IT helpdesk) +2. Check the admin user who created the TAP for legitimacy +3. Review the target user and reason for TAP issuance +4. Check for sign-ins using the TAP, especially from unusual locations +5. Verify MFA registration events following the TAP usage +6. If unauthorized, revoke the TAP immediately and investigate +7. Review TAP policy settings for appropriate lifetime and usage limits +', '["https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass","https://attack.mitre.org/techniques/T1078/004/"]', '(contains("log.operationName", "Admin registered security info") && contains("log.properties", "Temporary Access Pass")) || +(contains("log.operationName", "Update user") && contains("log.properties", "TemporaryAccessPass")) +', '2026-02-09 16:31:17.816412', true, false, 'origin', null, '[]', '["lastEvent.log.properties.targetResources","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (132, 'Azure Key Vault Modified', 3, 3, 2, 'Credential Access', 'T1552 - Unsecured Credentials', 'Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. Adversaries may modify Key Vault configurations to weaken security controls, add unauthorized access policies, or change network rules to facilitate credential theft and unauthorized access to sensitive secrets.', '["https://attack.mitre.org/techniques/T1552/","https://attack.mitre.org/tactics/TA0006/","https://learn.microsoft.com/en-us/azure/key-vault/general/security-features"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) && +(equalsIgnoreCase("log.operationName", "MICROSOFT.KEYVAULT/VAULTS/WRITE") || +contains("log.operationName", "Microsoft.KeyVault/vaults/write")) && +equals("log.resultType", "0") +', '2026-02-09 16:31:17.966280', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (133, 'Azure Subscription Permission Elevation via ElevateAccess', 3, 3, 3, 'Privilege Escalation', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects the MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION operation which grants a Global Administrator access to ALL Azure subscriptions in the tenant. This is an extremely high-impact action that should be very rare and carefully monitored. + +Next Steps: +1. Immediately verify this action was authorized by a known Global Administrator +2. Check if a change request or emergency procedure exists for this action +3. Review what subscription-level changes were made after the elevation +4. Check for new role assignments at the management group or subscription level +5. If unauthorized, remove the User Access Administrator role and audit all changes +6. Enable Azure PIM (Privileged Identity Management) if not already in use +', '["https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin","https://attack.mitre.org/techniques/T1078/004/"]', 'regexMatch("log.operationName", "(?i)MICROSOFT\\.AUTHORIZATION/ELEVATEACCESS/ACTION") +', '2026-02-09 16:31:18.095884', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (134, 'Azure Event Hub Deletion', 1, 3, 3, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects the deletion of an Azure Event Hub, which is a critical event processing service that ingests and processes large volumes of events, logs, and telemetry data. Event Hubs are commonly used for security monitoring, log aggregation, and SIEM integration. Adversaries may delete Event Hubs to evade detection by disrupting log collection pipelines and preventing security events from reaching monitoring systems. + +Threat Context: +- Event Hubs are often used to stream logs to SIEM solutions +- Deletion interrupts security monitoring and incident detection capabilities +- Can be part of anti-forensics activities to cover tracks +- May indicate an attempt to blind security operations before further attacks + +Legitimate Use Cases: +- Decommissioning unused Event Hubs during cost optimization +- Infrastructure cleanup during application retirement +- Migration to new Event Hub namespaces or different logging solutions +- Testing and development environment cleanup + +Suspicious Indicators: +- Event Hub actively receiving logs suddenly deleted +- Deletion performed by non-administrative accounts +- Multiple Event Hubs deleted in quick succession +- Deletion outside change management windows +- Deletion from unusual locations or IP addresses +- Event Hub connected to production SIEM or security monitoring + +Next Steps: +1. Verify if the deletion was authorized via change management process +2. Identify who performed the deletion (caller) and their role +3. Check if the Event Hub was actively receiving security logs +4. Determine the impact on security monitoring and log collection +5. Review recent authentication activity for the caller account +6. Check for other suspicious activities in the timeline (diagnostic settings changes, etc.) +7. Verify if backups of the Event Hub configuration exist +8. If unauthorized, restore the Event Hub and investigate for account compromise +9. Review authorization rules and access policies for remaining Event Hubs +', '["https://attack.mitre.org/techniques/T1562/008/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) && +(equalsIgnoreCase("log.operationName", "MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE") || +contains("log.operationName", "Delete EventHub")) && +(equalsIgnoreCase("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS")) +', '2026-02-09 16:31:18.250850', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (135, 'Azure Diagnostic Settings Deletion', 1, 3, 3, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects the deletion of diagnostic settings in Azure, which are critical for sending platform logs, metrics, and activity data to destinations like Log Analytics workspaces, Event Hubs, or storage accounts. Adversaries delete diagnostic settings to evade detection by disabling security monitoring and audit logging capabilities. + +This technique is commonly observed when attackers: +- Attempt to hide malicious activities from security teams +- Disable logging before executing destructive operations +- Remove evidence trails of their presence in the environment +- Prevent detection of lateral movement or data exfiltration + +Legitimate deletions are rare and typically occur only during: +- Infrastructure decommissioning or major reconfigurations +- Cost optimization initiatives (but should be heavily scrutinized) +- Migration to new monitoring solutions + +Next Steps: +1. Immediately verify if the deletion was authorized and documented +2. Identify who performed the operation and from which IP address +3. Check if diagnostic settings were immediately recreated (potential test) +4. Review recent activities on the affected resource for suspicious behavior +5. Verify if other resources had their diagnostic settings deleted +6. Restore diagnostic settings immediately to resume monitoring +7. Investigate the caller''s account for potential compromise +8. Check for other defense evasion techniques in the timeline +', '["https://attack.mitre.org/techniques/T1562/008/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings","https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"]', '(equalsIgnoreCase("log.category", "Administrative") || contains("log.category", "Activity")) && +(equalsIgnoreCase("log.operationName", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE") || +contains("log.operationName", "Delete diagnostic setting")) && +equalsIgnoreCase("log.resultType", "0") +', '2026-02-09 16:31:18.406489', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (137, 'Azure AD Golden SAML and Federation Domain Abuse', 3, 3, 2, 'Credential Access', 'T1606.002 - Forge Web Credentials: SAML Tokens', 'Detects additions or modifications of federated domains in Azure AD which could indicate Golden SAML attacks. Attackers who compromise AD FS signing certificates or add rogue federation domains can forge SAML tokens to impersonate any user in the organization. + +Next Steps: +1. Immediately verify if the federation domain change was authorized +2. Review the domain being added and its federation metadata endpoint +3. Check the AD FS signing certificate for unauthorized modifications +4. Verify the identity of the administrator making the change +5. Review Azure AD audit logs for other suspicious tenant-level changes +6. If unauthorized, immediately remove the federated domain and revoke all active sessions +7. Rotate the AD FS token signing certificate +8. Enable Certificate Authority revocation checking for federation certificates +', '["https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed","https://attack.mitre.org/techniques/T1606/002/"]', '(contains("log.operationName", "Set federation settings on domain") || + contains("log.operationName", "Set domain authentication") || + contains("log.operationName", "Add unverified domain") || + contains("log.operationName", "Add verified domain") || + contains("log.operationName", "Set DomainFederationSettings")) && +equals("log.categoryValue", "Administrative") +', '2026-02-09 16:31:18.721022', true, false, 'origin', null, '[]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (138, 'Azure Active Directory High Risk Sign-in', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft''s Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised. This rule triggers on ''high'' risk level sign-ins, which indicate strong indicators of compromise such as impossible travel, anonymous IP usage, or leaked credentials.', '["https://attack.mitre.org/techniques/T1078/","https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs"]', 'equalsIgnoreCase("log.category", "SignInLogs") && +equalsIgnoreCase("log.properties.RiskLevelDuringSignIn", "high") && +equalsIgnoreCase("log.propertiesTokenIssuerType", "AzureAD") && +equals("log.resultType", "0") +', '2026-02-09 16:31:18.861590', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (140, 'Azure Key Vault Excessive Access Detected', 3, 2, 1, 'Collection', 'T1530 - Data from Cloud Storage Object', 'Detects unusual spikes in Azure Key Vault access patterns. Monitors for multiple secret retrieval operations from the same source, which could indicate credential harvesting or data exfiltration attempts. + +Next Steps: +1. Investigate the source IP address and verify if it''s a legitimate system or user +2. Review the specific secrets/keys being accessed and their criticality +3. Check for any recent changes to Key Vault access policies +4. Correlate with user authentication logs to identify the account responsible +5. Verify if the access pattern aligns with normal business operations +6. Consider implementing additional access controls or monitoring if suspicious activity is confirmed +', '["https://learn.microsoft.com/en-us/azure/key-vault/general/logging","https://attack.mitre.org/techniques/T1530/"]', 'equals("log.category", "AuditEvent") && +oneOf("log.operationName", ["SecretGet", "SecretList", "KeyGet"]) +', '2026-02-09 16:31:19.397260', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.category","operator":"filter_term","value":"AuditEvent"}],"or":null,"within":"now-10m","count":20}]', '["lastEvent.log.resourceId","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (141, 'MFA Disabled for Privileged Azure AD User', 3, 3, 1, 'Defense Evasion', 'T1556 - Modify Authentication Process', 'Detects when Multi-Factor Authentication (MFA) is disabled for privileged users in Azure AD. This could indicate an attempt to weaken security controls for unauthorized access. + +Next Steps: +1. Verify if the MFA disable action was authorized and legitimate +2. Check who initiated the change and from which IP address +3. Review the user''s recent login activity and permissions +4. Ensure the user account has not been compromised +5. Re-enable MFA if the change was unauthorized +6. Consider implementing conditional access policies to prevent unauthorized MFA changes +', '["https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting","https://attack.mitre.org/techniques/T1556/"]', '(equals("log.operationName", "Disable Strong Authentication") || + (equals("log.operationName", "Update user") && contains("log.properties", "StrongAuthenticationMethod"))) && +equals("log.categoryValue", "Administrative") +', '2026-02-09 16:31:19.526659', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","lastEvent.log.targetUserPrincipalName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (142, 'Azure Managed Identity Token Abuse', 3, 3, 1, 'Credential Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects suspicious token acquisition from Azure Instance Metadata Service (IMDS) by managed identities. Attackers who compromise an Azure VM can abuse managed identities to obtain access tokens for Azure resources without credentials, enabling lateral movement across the cloud environment. + +Next Steps: +1. Identify the Azure resource (VM, App Service, Function) where the token was acquired +2. Review the target resource being accessed with the managed identity token +3. Check if the managed identity''s permissions follow least privilege principles +4. Investigate the process or application that requested the token +5. Review Azure Activity logs for actions performed using the managed identity +6. If unauthorized, restrict the managed identity''s role assignments immediately +7. Investigate the source VM for signs of compromise +8. Implement Conditional Access policies for workload identities +', '["https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.operationName", "Microsoft.ManagedIdentity") && +equals("log.categoryValue", "Administrative") && +(contains("log.properties.message", "token") || + contains("log.operationName", "tokens")) +', '2026-02-09 16:31:19.656126', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.operationName","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (143, 'Multi-Factor Authentication Disabled for an Azure User', 3, 3, 2, 'Persistence', 'T1556 - Modify Authentication Process', 'Detects when multi-factor authentication (MFA) is disabled for an Azure AD/Entra ID user account through Audit Logs. + +**Security Context:** +Multi-factor authentication is a critical security control that requires users to provide additional verification beyond just a password. Disabling MFA for user accounts significantly weakens authentication security and is a common technique used by adversaries to maintain persistent access. Once MFA is disabled, attackers can authenticate using only compromised credentials without triggering additional verification steps, making detection more difficult. + +**Detection Logic:** +This rule monitors AuditLogs for successful "Disable Strong Authentication" operations, which represent the per-user MFA setting being turned off in Azure AD/Entra ID. This operation is distinct from Conditional Access MFA policies and represents the legacy per-user MFA enforcement method. + +**Investigation Steps:** +1. Identify the disabler: Check log.propertiesInitiatedBy for who disabled MFA +2. Identify affected user: Examine log.propertiesTargetResources for the user whose MFA was disabled +3. Verify authorization: Confirm if the MFA disabling was part of legitimate administrative action +4. Review user privilege: Determine if the affected user has elevated permissions (admins, privileged roles) +5. Check timing: Analyze if MFA was disabled after suspicious authentication events +6. Review authentication history: Look for failed authentication attempts before MFA disabling +7. Check for compromise indicators: Search for unusual sign-in patterns, impossible travel, or risky sign-ins +8. Examine subsequent logins: Monitor for authentication activity immediately after MFA disabling +9. Review MFA methods: Check what MFA methods the user had registered before disabling +10. Correlate with other events: Look for privilege escalation or data access after MFA disabling + +**Recommended Actions:** +- If unauthorized, immediately re-enable MFA for the affected user +- Force password reset for the affected account +- Review all authentication activity for the affected user +- Check for compromised credentials using Azure AD Identity Protection +- Revoke all active sessions for the affected user +- Enable Conditional Access policies instead of per-user MFA for better control +- Implement PIM approval workflows for modifying MFA settings +- Enable alerts for MFA changes on privileged accounts +- Audit accounts with permissions to modify user authentication settings +- Review and restrict who can disable MFA (typically requires User Administrator or higher) + +**Modern MFA Management:** +- **Per-user MFA (legacy)**: This detection targets the legacy per-user MFA setting +- **Conditional Access**: Modern approach using policies instead of per-user settings +- **Authentication Methods Policy**: Newer method for managing FIDO2, passwordless, etc. + +Organizations should migrate from per-user MFA to Conditional Access policies for more granular control. + +**Common Attack Patterns:** +- Disabling MFA after compromising an administrator account +- Removing MFA from privileged accounts for easier persistent access +- Disabling MFA before credential harvesting or lateral movement +- Insider threats removing MFA from their own accounts +- Disabling MFA on service accounts to enable automated authentication attacks + +**Related Detections:** +- MFA method removal/changes +- Conditional Access policy modifications +- Authentication methods policy changes +- Privileged role assignments without MFA + +**MITRE ATT&CK Reference:** T1556 - Modify Authentication Process + +**Azure Documentation:** +- AuditLogs table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs +- Per-user MFA: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates +', '["https://attack.mitre.org/techniques/T1556/","https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs","https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates","https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing"]', 'equalsIgnoreCase("log.category", "AuditLogs") && +equalsIgnoreCase("log.operationName", "Disable Strong Authentication") && +(equals("log.resultType", "0") || equalsIgnoreCase("actionResult", "SUCCESS")) +', '2026-02-09 16:31:19.796075', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (139, 'Azure Defender for Cloud Critical Security Alert', 3, 3, 2, 'Intrusion Detection', 'TA0001 - Initial Access', 'Detects critical severity alerts from Azure Defender for Cloud indicating potential active threats, malware infections, or successful breach attempts that require immediate response. + +Next Steps: +1. Review the full alert details in Azure Defender for Cloud portal +2. Verify the affected resource and assess the scope of potential compromise +3. Check for related suspicious activities on the affected resource +4. Implement immediate containment measures if threat is confirmed +5. Review security policies and configurations for the affected resource +6. Document the incident and update security procedures as needed +', '["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview","https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-schemas","https://attack.mitre.org/tactics/TA0001/"]', '(equals("log.eventName", "Microsoft.Security/locations/alerts/Activate/action") || contains("log.operationName", "Microsoft.Security")) && +equals("log.category", "Security") && +oneOf("log.level", ["Critical", "High", "Error"]) && +(equals("log.properties.severity", "High") || equals("log.properties.alertSeverity", "High")) +', '2026-02-09 16:31:19.311503', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","lastEvent.log.eventDataId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (144, 'Azure PIM Role Activation Anomaly', 3, 3, 1, 'Privilege Escalation', 'T1078 - Valid Accounts', 'Detects unusual Privileged Identity Management (PIM) role activation patterns including activation of high-privilege roles such as Global Administrator or Privileged Role Administrator. Repeated or unusual PIM activations may indicate an attacker leveraging compromised credentials to escalate privileges. + +Next Steps: +1. Verify the user activating the PIM role has legitimate business justification +2. Review the specific role being activated and its scope +3. Check the activation justification message provided by the user +4. Review the activation duration and whether it exceeds normal patterns +5. Check for unusual source IP or device during the activation +6. If unauthorized, immediately deactivate the role and disable the user account +7. Review PIM audit logs for other suspicious activations by the same user +8. Implement PIM access reviews and require approval for critical roles +', '["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure","https://attack.mitre.org/techniques/T1078/"]', '(contains("log.operationName", "Add member to role completed (PIM activation)") || + contains("log.operationName", "Add eligible member to role in PIM completed") || + contains("log.operationName", "Activate PIM role")) && +equals("log.categoryValue", "Administrative") +', '2026-02-09 16:31:19.920746', true, false, 'origin', null, '[{"indexPattern":"v11-log-azure-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"log.categoryValue","operator":"filter_term","value":"Administrative"}],"or":null,"within":"now-4h","count":3}]', '["lastEvent.log.operationName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (145, 'Storage Account Public Access Enabled', 3, 2, 1, 'Collection', 'T1530 - Data from Cloud Storage Object', 'Detects when public access is enabled on Azure Storage Accounts which could lead to unauthorized data exposure. +This configuration change creates a significant security risk as it allows anonymous access to stored data. + +Next Steps: +1. Immediately review the affected storage account configuration +2. Verify if public access was intentionally enabled and properly authorized +3. Check if any sensitive data is stored in the account +4. Review access logs for any unauthorized access attempts +5. Consider disabling public access if not required for business operations +6. Implement network restrictions and access policies if public access is necessary +7. Monitor for any data exfiltration activities +', '["https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema","https://attack.mitre.org/techniques/T1530/"]', 'contains("log.operationName", "Microsoft.Storage/storageAccounts") && +(contains("log.operationName", "/write") || contains("log.operationName", "/blobServices/write")) && +equals("log.category", "Administrative") && +equals("log.actionResult", "accepted") && +(contains("log.properties", "allowBlobPublicAccess") || contains("log.properties", "publicAccess")) +', '2026-02-09 16:31:20.055797', true, false, 'origin', null, '[]', '["lastEvent.log.aadObjectId","lastEvent.log.resourceId"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (146, 'Azure Application Credential Modification', 3, 3, 2, 'Defense Evasion', 'T1098.001 - Account Manipulation: Additional Cloud Credentials', 'Detects when a new credential (certificate or secret) is added to an Azure AD application. Applications can use certificates or secret strings to authenticate when requesting tokens. Adversaries may add additional authentication credentials to existing applications to establish persistence, evade defenses, or enable privilege escalation by impersonating legitimate applications. + +This technique is commonly used in post-compromise scenarios where attackers: +- Add secrets to high-privilege applications to maintain access +- Create backdoor authentication methods to evade MFA requirements +- Establish persistence mechanisms that survive password resets +- Enable token-based authentication for automated attacks + +Next Steps: +1. Verify if the credential modification was authorized and expected +2. Identify who performed the operation (check InitiatedBy field) +3. Review the affected application''s permissions and access scope +4. Check for subsequent suspicious sign-in activity using the application +5. Audit other applications for similar unauthorized modifications +6. If unauthorized, immediately remove the suspicious credentials +7. Review application usage logs for potential abuse +8. Investigate the source IP address and user agent of the modification +', '["https://attack.mitre.org/techniques/T1098/001/","https://attack.mitre.org/tactics/TA0005/","https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs","https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities"]', '(equalsIgnoreCase("log.category", "AuditLogs") || contains("log.category", "Audit")) && +(contains("log.operationName", "Certificates and secrets management") || +equalsIgnoreCase("log.operationName", "Add service principal credentials") || +equalsIgnoreCase("log.operationName", "Update application") || +equalsIgnoreCase("log.operationName", "Update application - Certificates and secrets management")) && +equalsIgnoreCase("log.resultType", "0") +', '2026-02-09 16:31:20.191064', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (147, 'Azure Subscription Ownership Transfer Detected', 3, 3, 2, 'Identity and Access Management', 'T1078 - Valid Accounts', 'Detects when ownership of an Azure subscription is transferred by monitoring role assignment changes at the subscription level. This could indicate unauthorized access or insider threat activity. + +Next Steps: +1. Verify the legitimacy of the ownership transfer with the subscription administrator +2. Check if the user performing the transfer is authorized for this action +3. Review the timing and context of the transfer (business hours, planned change) +4. Examine other recent activities by the same user or from the same source IP +5. Validate that proper change management procedures were followed +6. Check for any unusual activity following the ownership transfer +7. If unauthorized, immediately revoke the new owner''s access and escalate to security team +', '["https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.operationName", "Microsoft.Authorization/roleAssignments/write") && +contains("log.properties", "Owner") && +equals("log.category", "Administrative") && +contains("log.resourceId", "/subscriptions/") && +!contains("log.resourceId", "/resourceGroups/") +', '2026-02-09 16:31:20.330759', true, false, 'origin', null, '[]', '["lastEvent.log.correlationId","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (148, 'Possible Consent Grant Attack via Azure-Registered Application', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. Consent grant attacks are commonly used in phishing campaigns where malicious OAuth applications trick users into granting excessive permissions, enabling data exfiltration or unauthorized access to organizational resources.', '["https://attack.mitre.org/techniques/T1566/","https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-consent-requests","https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"]', '(equalsIgnoreCase("log.category", "AuditLogs") || contains("log.category", "Audit")) && +equalsIgnoreCase("log.operationName", "Consent to application") && +equals("log.resultType", "0") +', '2026-02-09 16:31:20.450405', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (150, 'Azure Diagnostic Settings Tampering', 2, 3, 2, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects deletion or modification of Azure diagnostic settings which are used to route platform logs and metrics to monitoring destinations. Attackers may disable diagnostic settings to prevent their activities from being logged and detected. + +Next Steps: +1. Verify if the diagnostic settings change was authorized through change management +2. Identify which resources lost their diagnostic logging +3. Review the identity performing the change and confirm authorization +4. Check if any suspicious activities occurred after logging was disabled +5. Restore diagnostic settings for affected resources immediately +6. Implement Azure Policy to enforce diagnostic settings on all resources +7. Set up alerts for diagnostic settings modifications +8. Review Azure Activity Log for other defense evasion activities by the same identity +', '["https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings","https://attack.mitre.org/techniques/T1562/008/"]', 'contains("log.operationName", "Microsoft.Insights/diagnosticSettings") && +(contains("log.operationName", "delete") || + contains("log.operationName", "Delete")) && +equals("log.resultType", "Success") +', '2026-02-09 16:31:20.730956', true, false, 'origin', null, '[]', '["lastEvent.log.resourceId","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (151, 'Anthos Security Policy Violations', 3, 3, 2, 'Security Control Bypass', 'T1562 - Impair Defenses', 'Detects security-related events in Google Anthos environments including policy violations, authentication failures, and suspicious container activities. Monitors Anthos Service Mesh, Config Management, and Policy Controller events. + +Next Steps: +- Review the specific policy violation details in the event logs +- Verify if the violation was authorized or represents a legitimate security concern +- Check the source IP and user account associated with the violation +- Examine recent configuration changes to Anthos security policies +- Validate that security controls are properly configured and enforced +- Consider implementing additional monitoring for the affected resources +', '["https://cloud.google.com/anthos/docs/concepts/overview","https://attack.mitre.org/techniques/T1562/"]', '( + oneOf("log.protoPayload.serviceName", ["anthos.googleapis.com", "anthospolicycontroller.googleapis.com", "anthosservicemesh.googleapis.com"]) || + oneOf("log.resourceType", ["k8s_cluster", "gke_cluster"]) +) && +( + contains("log.protoPayload.methodName", "Policy") || + oneOf("log.jsonPayload.type", ["admission.k8s.io/violation", "policy.violation", "security.alert"]) || + oneOf("log.severity", ["ERROR", "WARNING"]) +) && +( + equals("log.protoPayload.response.status", "PERMISSION_DENIED") || + contains("log.protoPayload.status.message", "violation") || + contains("log.protoPayload.status.message", "denied") || + contains("log.jsonPayload.details", "policy") +) +', '2026-02-09 16:31:49.431583', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","lastEvent.log.resource.labels.project_id"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (152, 'Binary Authorization Bypass Detection', 3, 3, 2, 'Defense Evasion', 'T1553 - Subvert Trust Controls', 'Detects attempts to bypass Binary Authorization controls including use of breakglass deployments, policy violations, and unauthorized container deployments. These events could indicate attempts to deploy untrusted or malicious container images. + +Next Steps: +1. Verify the legitimacy of the breakglass deployment or policy bypass +2. Review the container image source and verify its authenticity +3. Check if the user had proper authorization for emergency deployments +4. Examine the deployment context and business justification +5. Validate that security policies are restored after emergency deployment +6. Monitor for any subsequent suspicious activity from deployed containers +', '["https://cloud.google.com/binary-authorization/docs/audit-logging","https://cloud.google.com/binary-authorization/docs/run/using-breakglass-cloud-run","https://attack.mitre.org/techniques/T1553/"]', '( + equals("log.protoPayload.serviceName", "binaryauthorization.googleapis.com") && + ( + contains("log.logName", "cloudaudit.googleapis.com/system_event") && + (contains("log.protoPayload.response.details", "breakglass") || equals("log.jsonPayload.breakglass", true)) + ) +) || +( + equals("log.resourceType", "cloud_run_revision") && + contains("log.logName", "cloudaudit.googleapis.com/system_event") && + ( + contains("log.protoPayload.response.status.conditions", "ContainerImageUnauthorized") || + equals("log.jsonPayload.policyViolation", true) || + equals("log.protoPayload.metadata.dryRun", true) + ) +) +', '2026-02-09 16:31:49.570574', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (153, 'Cloud Identity Suspicious Sign-ins Detection', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects suspicious sign-in attempts to Google Cloud Identity, including logins from unfamiliar locations, unusual IP addresses, or after multiple failed attempts. These could indicate compromised credentials or unauthorized access attempts. + +Next Steps: +1. Verify the legitimacy of the login attempt with the user +2. Check if the IP address is from a known malicious source +3. Review recent account activity for signs of compromise +4. Consider implementing additional MFA if not already enabled +5. If confirmed malicious, reset user credentials immediately +6. Review access logs for any unauthorized activities +', '["https://support.google.com/cloudidentity/answer/4580120?hl=en","https://cloud.google.com/blog/products/identity-security/logs-based-security-alerting-in-google-cloud","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.protoPayload.serviceName", "login.googleapis.com") && +( + equals("log.protoPayload.metadata.event.type", "Suspicious Login") || + (equals("log.protoPayload.metadata.event.type", "login") && equals("log.protoPayload.metadata.event.parameter.is_suspicious", true)) || + equals("log.protoPayload.metadata.event.parameter.is_suspicious", true) +) +', '2026-02-09 16:31:49.745830', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (154, 'GCP probable hijacked account', 3, 3, 2, 'Collection', 'T1560 - Archive Collected Data', 'A user''s account was disabled because Google has detected a suspicious activity indicating it might have been compromised. Hijacked account can be used to perform other attacks like data collection and exfiltration', '["https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1560"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledHijacked") +', '2026-02-09 16:31:49.925601', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (155, 'GCP detected account with password leak', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'A user''s account was disabled because a password leak was detected by google.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledPasswordLeak") +', '2026-02-09 16:31:50.111410', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (156, 'GCP account is probably used for spamming', 1, 2, 3, 'Initial Access', 'T1566 - Phishing', 'A user''s account was disabled because Google has become aware that it was used to engage in spamming. Usually, spamming is used to perform other attacks like phishing or spread malware.', '["https://attack.mitre.org/tactics/TA0001","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledSpamming") || +equals("log.protoPayload.methodName", "google.login.LoginService.accountDisabledSpammingThroughRelay") +', '2026-02-09 16:31:50.355664', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (157, 'GCP Audit Log Disabling or Tampering', 3, 3, 2, 'Defense Evasion', 'T1562.008 - Impair Defenses: Disable Cloud Logs', 'Detects attempts to disable GCP audit logging including sink deletion, log exclusion filter creation, and audit configuration changes. Attackers may manipulate logging infrastructure to hide their activities from security monitoring. + +Next Steps: +1. Immediately verify if the logging change was authorized +2. Review the specific sink or exclusion filter that was modified +3. Check the identity making the change and verify authorization +4. Assess what log types are no longer being collected +5. Restore logging configuration and ensure all critical logs are captured +6. Review activities that may have been hidden during the logging gap +7. Implement Organization Policy to prevent log sink deletion +8. Set up alerting on any changes to logging infrastructure +', '["https://cloud.google.com/logging/docs/audit","https://attack.mitre.org/techniques/T1562/008/"]', '(contains("log.protoPayload.methodName", "DeleteSink") || + contains("log.protoPayload.methodName", "UpdateSink") || + contains("log.protoPayload.methodName", "CreateExclusion") || + contains("log.protoPayload.methodName", "UpdateExclusion") || + contains("log.protoPayload.methodName", "DeleteLog") || + contains("log.protoPayload.methodName", "SetIamPolicy")) && +(contains("log.protoPayload.serviceName", "logging.googleapis.com") || + contains("log.resource.type", "logging_sink") || + contains("log.resource.type", "logging_exclusion")) +', '2026-02-09 16:31:50.520544', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (158, 'GCP Break-Glass Container Workload Deployed', 3, 3, 2, 'Defense Evasion', 'T1548 - Abuse Elevation Control Mechanism', 'Detects deployment of container workloads using the break-glass mechanism to bypass Binary Authorization policy. While legitimate in emergency scenarios, this bypasses security controls and can be abused to deploy malicious or untrusted container images. + +Next Steps: +1. Verify the break-glass deployment was authorized and documented +2. Review the container image that was deployed +3. Check the user identity and their authorization level +4. Validate the business justification for the emergency bypass +5. Ensure Binary Authorization policies are restored after the emergency +6. Scan the deployed container for vulnerabilities and malware +7. Review cluster activity following the deployment +', '["https://cloud.google.com/binary-authorization/docs/using-breakglass","https://attack.mitre.org/techniques/T1548/"]', '(equals("log.protoPayload.serviceName", "binaryauthorization.googleapis.com") && +contains("log.protoPayload.response", "breakglass")) || +(contains("log.protoPayload.methodName", "container.clusters") && +contains("log.protoPayload.request", "breakglass")) +', '2026-02-09 16:31:50.680995', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (159, 'GCP BigQuery Data Exfiltration Detection', 3, 1, 1, 'Data Exfiltration', 'T1567 - Exfiltration Over Web Service', 'Detects BigQuery operations that may indicate data exfiltration including large data exports, table copies to external projects, and extract jobs writing to external storage. Attackers may use BigQuery to query and export large datasets from compromised projects. + +Next Steps: +1. Review the BigQuery job details including source and destination datasets +2. Check the data volume being exported or copied +3. Verify the destination project or storage bucket is legitimate +4. Review the identity performing the operation and verify authorization +5. Check if the query accesses sensitive tables or datasets +6. If unauthorized, cancel running jobs and revoke the identity''s BigQuery permissions +7. Implement VPC Service Controls to restrict data export +8. Enable BigQuery authorized views to restrict data access +', '["https://cloud.google.com/bigquery/docs/audit-logging","https://attack.mitre.org/techniques/T1567/"]', 'contains("log.protoPayload.serviceName", "bigquery.googleapis.com") && +(contains("log.protoPayload.methodName", "jobservice.insert") || + contains("log.protoPayload.methodName", "tableservice.exportdata") || + contains("log.protoPayload.methodName", "datasets.copy")) +', '2026-02-09 16:31:50.887308', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"},{"field":"log.protoPayload.serviceName","operator":"filter_term","value":"bigquery.googleapis.com"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (160, 'GCP Cloud Function and Cloud Run Abuse', 2, 2, 1, 'Persistence', 'T1059 - Command and Scripting Interpreter', 'Detects creation or modification of Cloud Functions and Cloud Run services which can be used for persistence, backdoor access, or command execution. Attackers may deploy serverless functions with high-privilege service accounts to maintain access or exfiltrate data. + +Next Steps: +1. Review the function or service code for malicious content +2. Check the associated service account and its permissions +3. Verify the deployer identity has authorization +4. Review the function trigger configuration (HTTP, Pub/Sub, etc.) +5. Check if the function allows unauthenticated invocations +6. If unauthorized, delete the function and revoke the service account''s permissions +7. Review invocation logs for the function +8. Implement Organization Policy to restrict Cloud Function deployment +', '["https://cloud.google.com/functions/docs/securing","https://attack.mitre.org/techniques/T1059/"]', '((contains("log.protoPayload.serviceName", "cloudfunctions.googleapis.com") && + (contains("log.protoPayload.methodName", "CreateFunction") || + contains("log.protoPayload.methodName", "UpdateFunction"))) || + (contains("log.protoPayload.serviceName", "run.googleapis.com") && + (contains("log.protoPayload.methodName", "CreateService") || + contains("log.protoPayload.methodName", "ReplaceService")))) +', '2026-02-09 16:31:51.081449', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (161, 'GCP Cryptomining Instance Launch Detection', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects creation of GPU-accelerated or high-compute GCP instances commonly used for cryptomining. Attackers with compromised GCP credentials frequently launch expensive GPU instances (a2, g2) or compute-optimized instances in unusual regions for cryptocurrency mining operations. + +Next Steps: +1. Verify the identity launching the instance and confirm business justification +2. Check if GPU instances are normally used in this project +3. Review the instance''s machine type and attached GPU accelerators +4. Examine the instance image for known mining software +5. Check billing dashboards for unexpected cost increases +6. If unauthorized, stop and delete the instance immediately +7. Rotate compromised credentials and review IAM bindings +8. Implement Organization Policy constraints to restrict GPU instance creation +', '["https://cloud.google.com/compute/docs/machine-types","https://attack.mitre.org/techniques/T1496/"]', 'contains("log.protoPayload.methodName", "compute.instances.insert") && +(contains("log.protoPayload.request.machineType", "a2-") || + contains("log.protoPayload.request.machineType", "g2-") || + contains("log.protoPayload.request.machineType", "n1-highmem-96") || + contains("log.protoPayload.request.machineType", "c2d-highcpu") || + contains("log.protoPayload.request.guestAccelerators", "nvidia")) +', '2026-02-09 16:31:51.275646', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (162, 'GCP Custom Role with Overly Permissive Permissions', 3, 3, 1, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects creation or modification of GCP custom IAM roles which may include overly permissive permissions for privilege escalation. Attackers may create custom roles with broad permissions like iam.serviceAccountKeys.create, iam.serviceAccounts.actAs, or compute.instances.setMetadata to escalate privileges. + +Next Steps: +1. Review the custom role definition and its included permissions +2. Verify the role follows least privilege principles +3. Check for high-risk permissions like iam.* or resourcemanager.* +4. Review the identity creating the role and verify authorization +5. Check which users or service accounts are bound to the role +6. If overly permissive, modify the role to include only necessary permissions +7. Implement Organization Policy to restrict custom role creation +8. Use IAM Recommender to identify and reduce excess permissions +', '["https://cloud.google.com/iam/docs/creating-custom-roles","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.protoPayload.serviceName", "iam.googleapis.com") && +(contains("log.protoPayload.methodName", "CreateRole") || + contains("log.protoPayload.methodName", "UpdateRole")) +', '2026-02-09 16:31:51.415706', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-1h","count":2}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (163, 'GCP probable Defense Evasion, Logging Sink Deletion', 1, 2, 3, 'Defense Evasion', 'T1562 - Impair Defenses', 'Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics are cross-listed here when those techniques include the added benefit of subverting defenses. Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink''s export destination. An adversary may delete a Logging sink to evade detection.', '["https://cloud.google.com/logging/docs/export","https://attack.mitre.org/techniques/T1562/","https://attack.mitre.org/tactics/TA0005/"]', 'regexMatch("log.protoPayload.methodName", "((.+)?sink(s)?\\.delete|(.+)?v(\\w+)\\.ConfigServiceV(\\w+)\\.DeleteSink)") +', '2026-02-09 16:31:51.586614', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (164, 'GCP DLP Re-Identification API Call', 3, 2, 0, 'Collection', 'T1565 - Data Manipulation', 'Detects calls to the DLP re-identification API which reverses data de-identification. This is a sensitive operation that could expose previously protected PII, financial data, or health records. Unauthorized use indicates potential data exfiltration attempts. + +Next Steps: +1. Verify the re-identification request was authorized for the specific use case +2. Review the data being re-identified and its sensitivity classification +3. Check the user identity and whether they have legitimate access to this data +4. Review the destination of the re-identified data +5. If unauthorized, revoke access and investigate potential data exposure +6. Review DLP API permissions and restrict re-identification access +', '["https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify","https://attack.mitre.org/techniques/T1565/"]', 'contains("log.protoPayload.methodName", "ReidentifyContent") || +contains("log.protoPayload.methodName", "reidentify") +', '2026-02-09 16:31:51.706281', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (165, 'GCP probable Exfiltration, Logging Sink Modification', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they''ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink''s export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.', '["https://cloud.google.com/logging/docs/export#how_sinks_work","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.sinks#LogSink","https://attack.mitre.org/techniques/T1537/","https://attack.mitre.org/tactics/TA0010/"]', 'regexMatch("log.protoPayload.methodName", "((.+)?sink(s)?\\.update|(.+)?v(\\w+)\\.ConfigServiceV(\\w+)\\.UpdateSink)") +', '2026-02-09 16:31:51.855561', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (166, 'GCP probable Impact, Storage Bucket Deleted', 1, 2, 3, 'Impact', 'T1485 - Data Destruction', 'Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target''s business operations.', '["https://cloud.google.com/logging/docs/buckets","https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/"]', 'regexMatch("log.protoPayload.methodName", "(.+)\\.bucket(s)?\\.delete") +', '2026-02-09 16:31:52.015936', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (167, 'GCP Domain-Wide API Access Granted', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects when domain-wide delegation is granted to a service account in Google Workspace. This allows the service account to impersonate any user in the domain and access their data, making it a high-impact privilege escalation vector. + +Next Steps: +1. Verify the domain-wide delegation was authorized by a domain administrator +2. Review the OAuth scopes granted to the service account +3. Check the service account''s usage history and associated project +4. Verify the scopes follow the principle of least privilege +5. If unauthorized, revoke the delegation immediately +6. Audit all API calls made by the service account since the delegation was granted +7. Review Google Workspace admin logs for related changes +', '["https://cloud.google.com/iam/docs/using-iam-securely","https://attack.mitre.org/techniques/T1098/"]', 'contains("log.protoPayload.methodName", "AUTHORIZE_API_CLIENT_ACCESS") || +(contains("log.protoPayload.serviceName", "admin.googleapis.com") && contains("log.protoPayload.methodName", "GrantClientAccess")) +', '2026-02-09 16:31:52.155979', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (169, 'GCP Network Packet Capture Configuration', 3, 1, 1, 'Credential Access', 'T1040 - Network Sniffing', 'Detects creation or modification of Packet Mirroring configurations in GCP. Attackers use packet mirroring to capture network traffic for credential theft, data exfiltration, or reconnaissance. + +Next Steps: +1. Verify the packet mirroring configuration was authorized for legitimate purposes +2. Review the mirrored network scope (which subnets, instances, protocols) +3. Check the collector destination for the mirrored traffic +4. Identify the user who created the configuration +5. If unauthorized, delete the packet mirroring policy immediately +6. Review the mirrored traffic destination for data exfiltration +7. Check for captured credentials or sensitive data +', '["https://cloud.google.com/vpc/docs/packet-mirroring","https://attack.mitre.org/techniques/T1040/"]', 'contains("log.protoPayload.methodName", "PacketMirrorings") && +(contains("log.protoPayload.methodName", "insert") || contains("log.protoPayload.methodName", "patch") || contains("log.protoPayload.methodName", "create")) +', '2026-02-09 16:31:52.445702', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (170, 'GCP KMS Key Destruction or Disabling', 1, 3, 3, 'Impact', 'T1552 - Unsecured Credentials', 'Detects destruction or disabling of Cloud KMS key versions which could render encrypted data unrecoverable. Attackers may destroy encryption keys as part of a destructive attack to prevent data recovery or to disrupt operations dependent on encrypted resources. + +Next Steps: +1. Immediately verify if the KMS key operation was authorized +2. Identify which resources are encrypted with the affected key +3. Check if the key version is in the scheduled destruction period and can be restored +4. Review the identity performing the operation and verify authorization +5. Assess the business impact of the key becoming unavailable +6. If unauthorized, restore the key version immediately during the destruction grace period +7. Implement IAM conditions to restrict KMS key destruction permissions +8. Enable Cloud KMS key rotation policies and cross-region key replication +', '["https://cloud.google.com/kms/docs/destroy-restore","https://attack.mitre.org/techniques/T1552/"]', 'contains("log.protoPayload.serviceName", "cloudkms.googleapis.com") && +(contains("log.protoPayload.methodName", "DestroyCryptoKeyVersion") || + contains("log.protoPayload.methodName", "DisableCryptoKeyVersion") || + contains("log.protoPayload.methodName", "UpdateCryptoKeyPrimaryVersion")) +', '2026-02-09 16:31:52.601150', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (171, 'GCP probable Privilege Escalation, Kubernetes role bindings created or patched', 1, 2, 3, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).', '["https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control","https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1548"]', 'contains("log.protoPayload.methodName", ".rbac") && + regexMatch("log.protoPayload.methodName", ''((.+)\\.)?(cluster)?rolebinding(s)?\\.(create|patch)$'') && + !equals("log.protoPayload.authenticationInfo.principalEmail", "system:addon-manager") +', '2026-02-09 16:31:52.755706', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (172, 'GKE Kubernetes Admission Webhook Modified', 3, 3, 2, 'Persistence', 'T1078.004 - Valid Accounts: Cloud Accounts', 'Detects creation or modification of admission webhook configurations in Google Kubernetes Engine. Attackers use malicious admission controllers to inject sidecar containers, modify workload specs, or intercept secrets. + +Next Steps: +1. Review the webhook configuration and its target service endpoint +2. Verify the webhook was deployed as part of a legitimate application +3. Check the namespace selector and object rules for the webhook +4. Examine what Kubernetes resources the webhook intercepts +5. If unauthorized, delete the webhook and audit all recent workload deployments +6. Review cluster RBAC for webhook management permissions +', '["https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/","https://attack.mitre.org/techniques/T1078/004/"]', 'contains("log.protoPayload.methodName", "admissionregistration.k8s.io") && +(contains("log.protoPayload.methodName", "mutatingwebhookconfigurations") || contains("log.protoPayload.methodName", "validatingwebhookconfigurations")) && +(contains("log.protoPayload.methodName", "create") || contains("log.protoPayload.methodName", "update") || contains("log.protoPayload.methodName", "patch")) +', '2026-02-09 16:31:52.890744', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.resourceName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (173, 'GCP Project Manipulation and Shadow Projects', 2, 3, 3, 'Account Manipulation', 'T1578 - Modify Cloud Compute Infrastructure', 'Detects GCP project creation, deletion, and undelete operations that could indicate shadow project creation for persistence or project deletion for impact. Attackers may create new projects outside organizational controls to host malicious workloads. + +Next Steps: +1. Verify the project creation or deletion was authorized +2. Check if the new project is within the expected folder hierarchy +3. Review the project''s billing account association +4. Examine IAM bindings on the new project for overly permissive access +5. Check if Organization Policies are applied to the new project +6. If unauthorized, shut down the project and investigate the creating identity +7. Implement Organization Policy constraints for project creation +8. Enable alerts for projects created outside approved folders +', '["https://cloud.google.com/resource-manager/docs/creating-managing-projects","https://attack.mitre.org/techniques/T1578/"]', 'contains("log.protoPayload.serviceName", "cloudresourcemanager.googleapis.com") && +(contains("log.protoPayload.methodName", "CreateProject") || + contains("log.protoPayload.methodName", "DeleteProject") || + contains("log.protoPayload.methodName", "UndeleteProject")) +', '2026-02-09 16:31:53.040913', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (191, 'AWS EC2 Flow Log Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses', '["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.eventSource", "ec2.amazonaws.com") && +equals("log.eventName", "DeleteFlowLogs") +', '2026-02-09 16:32:22.900581', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (174, 'GCP Secret Manager Bulk Access Detection', 3, 1, 1, 'Credential Access', 'T1552 - Unsecured Credentials', 'Detects bulk access to GCP Secret Manager secrets which may indicate credential harvesting. Attackers who gain access to a GCP project may enumerate and retrieve all stored secrets to obtain API keys, database credentials, and other sensitive data. + +Next Steps: +1. Review which secrets were accessed and their sensitivity classification +2. Verify the identity accessing the secrets has legitimate need +3. Check the access pattern for unusual timing or volume +4. Review the caller''s IP address and user agent for anomalies +5. Determine if the accessed secrets have been used from unauthorized locations +6. If unauthorized, rotate all accessed secrets immediately +7. Review Secret Manager IAM bindings and apply least privilege +8. Enable VPC Service Controls to restrict secret access +', '["https://cloud.google.com/secret-manager/docs/audit-logging","https://attack.mitre.org/techniques/T1552/"]', 'contains("log.protoPayload.serviceName", "secretmanager.googleapis.com") && +contains("log.protoPayload.methodName", "AccessSecretVersion") +', '2026-02-09 16:31:53.196255', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"},{"field":"log.protoPayload.methodName","operator":"filter_term","value":"AccessSecretVersion"}],"or":null,"within":"now-15m","count":5}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (175, 'GCP Service Account Impersonation Detection', 3, 3, 1, 'Credential Access', 'T1550.001 - Use Alternate Authentication Material: Application Access Token', 'Detects service account impersonation through token generation APIs including GenerateAccessToken, GenerateIdToken, and SignBlob. Attackers may impersonate service accounts to escalate privileges or access resources the service account has been granted. + +Next Steps: +1. Verify the identity performing the impersonation is authorized +2. Check the target service account and its IAM bindings +3. Review the permissions available through the impersonated service account +4. Examine the API calls made using the generated token +5. Verify if the impersonation is part of a legitimate workload chain +6. If unauthorized, remove the iam.serviceAccountTokenCreator role from the caller +7. Review the service account''s access patterns for anomalies +8. Implement Organization Policy constraints to limit service account impersonation +', '["https://cloud.google.com/iam/docs/create-short-lived-credentials-direct","https://attack.mitre.org/techniques/T1550/001/"]', '(contains("log.protoPayload.methodName", "GenerateAccessToken") || + contains("log.protoPayload.methodName", "GenerateIdToken") || + contains("log.protoPayload.methodName", "SignBlob") || + contains("log.protoPayload.methodName", "SignJwt")) && +contains("log.protoPayload.serviceName", "iamcredentials.googleapis.com") +', '2026-02-09 16:31:53.355739', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (176, 'GCP probable Password Guessing', 3, 3, 2, 'Credential Access', 'T1110.001 - Brute Force: Password Guessing', 'Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target''s policies on password complexity or use policies that may lock accounts out after a number of failed attempts.', '["https://attack.mitre.org/tactics/TA0006","https://attack.mitre.org/techniques/T1110/001/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.loginFailure") && exists("log.protoPayload.authenticationInfo.principalEmail") +', '2026-02-09 16:31:53.495735', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.methodName","operator":"filter_term","value":"google.login.LoginService.loginFailure"},{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-5m","count":5}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (177, 'GCP Cloud Storage Data Exfiltration', 3, 1, 1, 'Data Exfiltration', 'T1530 - Data from Cloud Storage Object', 'Detects GCP Cloud Storage operations indicating potential data exfiltration including making buckets publicly accessible, modifying IAM policies to grant allUsers access, or bulk object downloads. These actions may indicate an attacker attempting to exfiltrate data from cloud storage. + +Next Steps: +1. Review the affected bucket and its data classification +2. Check if the bucket was made publicly accessible +3. Verify the identity making the change has authorization +4. Review the IAM policy changes for allUsers or allAuthenticatedUsers bindings +5. Check for bulk GetObject operations following the policy change +6. If unauthorized, revert the bucket IAM policy and enable uniform bucket-level access +7. Review VPC Service Controls for the project +8. Enable Cloud Storage audit logging for data access events +', '["https://cloud.google.com/storage/docs/access-control","https://attack.mitre.org/techniques/T1530/"]', 'contains("log.protoPayload.serviceName", "storage.googleapis.com") && +(contains("log.protoPayload.methodName", "storage.setIamPermissions") || + contains("log.protoPayload.methodName", "storage.buckets.update") || + contains("log.protoPayload.methodName", "storage.objects.update")) && +(contains("log.protoPayload.request.policy.bindings", "allUsers") || + contains("log.protoPayload.request.policy.bindings", "allAuthenticatedUsers") || + contains("log.protoPayload.request.acl", "allUsers")) +', '2026-02-09 16:31:53.651061', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.resourceName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (178, 'GCP suspicious login blocked', 1, 2, 3, 'Initial Access', 'T1078 - Valid Accounts', 'A suspicious login to a user''s account was detected and blocked by Google Cloud.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousLogin") +', '2026-02-09 16:31:53.800613', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (179, 'GCP suspicious programmatic login', 1, 2, 3, 'Credential Access', 'T1110 - Brute Force', 'Google Cloud has detected a suspicious programmatic login. Programmatic login can be use to perform brute force attack.', '["https://attack.mitre.org/tactics/TA0006","https://attack.mitre.org/techniques/T1110"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousProgrammaticLogin") +', '2026-02-09 16:31:53.930971', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (180, 'GCP suspicious login from less secure app', 1, 2, 3, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Less secure apps (LSAs) are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1190"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.suspiciousLoginLessSecureApp") +', '2026-02-09 16:31:54.081040', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (181, 'GCP Workload Identity Federation Abuse', 3, 3, 1, 'Credential Access', 'T1078 - Valid Accounts', 'Detects creation or modification of workload identity pools and providers that enable external identities to access GCP resources. Attackers may create workload identity configurations to grant access to external attacker-controlled identity providers for persistent cloud access. + +Next Steps: +1. Review the workload identity pool and provider configuration +2. Verify the external identity provider is trusted and authorized +3. Check the attribute mappings and conditions for overly permissive access +4. Review which service accounts are bound to the workload identity pool +5. Verify the change was authorized through security change management +6. If unauthorized, delete the workload identity pool and revoke associated permissions +7. Audit all existing workload identity configurations for unauthorized providers +8. Implement Organization Policy to restrict workload identity pool creation +', '["https://cloud.google.com/iam/docs/workload-identity-federation","https://attack.mitre.org/techniques/T1078/"]', 'contains("log.protoPayload.serviceName", "iam.googleapis.com") && +(contains("log.protoPayload.methodName", "CreateWorkloadIdentityPool") || + contains("log.protoPayload.methodName", "CreateWorkloadIdentityPoolProvider") || + contains("log.protoPayload.methodName", "UpdateWorkloadIdentityPool") || + contains("log.protoPayload.methodName", "UpdateWorkloadIdentityPoolProvider")) +', '2026-02-09 16:31:54.231322', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.methodName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (182, 'Google Workspace MFA Enforcement Disabled', 3, 3, 1, 'Defense Evasion', 'T1556 - Modify Authentication Process', 'Detects when MFA enforcement is disabled in Google Workspace. Disabling MFA removes a critical security control and enables credential-based attacks against all users in the organization. + +Next Steps: +1. Immediately verify if the MFA policy change was authorized +2. Identify the admin who made the change and their authorization +3. Check for brute force or credential stuffing attempts following the change +4. Re-enable MFA enforcement immediately if unauthorized +5. Review all sign-ins that occurred while MFA was disabled +6. Check for other security policy changes from the same admin +7. Audit admin roles and consider implementing super admin 2SV enforcement +', '["https://support.google.com/a/answer/9176657","https://attack.mitre.org/techniques/T1556/"]', 'contains("log.protoPayload.methodName", "ENFORCE_STRONG_AUTHENTICATION") || +(contains("log.protoPayload.serviceName", "admin.googleapis.com") && contains("log.protoPayload.methodName", "2sv") && contains("log.protoPayload.request", "disable")) +', '2026-02-09 16:31:54.385470', true, false, 'origin', null, '[]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (183, 'Google Cloud Service Account Key Creation Spike', 3, 3, 2, 'Credential Access', 'Account Manipulation', 'Detects spikes in service account key creation which could indicate credential harvesting or preparation for unauthorized access. Service account keys provide long-term credentials that can be used to authenticate as the service account. Multiple key creations by the same user within a short timeframe may indicate malicious activity or preparation for privilege escalation attacks. + +Next Steps: +1. Investigate the user account creating multiple service account keys +2. Review the service accounts for which keys were created and their permissions +3. Check if the key creation was authorized and follows organizational policies +4. Examine subsequent activities performed using these service account credentials +5. Verify if the keys were created from expected IP addresses and locations +6. Review access patterns and identify any unusual resource access or API calls +7. Consider rotating or disabling the created keys if unauthorized activity is confirmed +', '["https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts","https://attack.mitre.org/techniques/T1098/001/"]', 'equals("log.protoPayload.methodName", "google.iam.admin.v1.CreateServiceAccountKey") && +equals("log.protoPayload.serviceName", "iam.googleapis.com") +', '2026-02-09 16:31:54.535563', true, false, 'origin', null, '[{"indexPattern":"v11-log-google-*","with":[{"field":"log.protoPayload.authenticationInfo.principalEmail","operator":"filter_term","value":"{{log.protoPayload.authenticationInfo.principalEmail}}"}],"or":null,"within":"now-1h","count":5}]', '["lastEvent.log.protoPayload.authenticationInfo.principalEmail","lastEvent.log.protoPayload.methodName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (184, 'GCP 2-step verification disabled', 1, 2, 3, 'Defense Evasion', 'T1562 - Impair Defenses', 'Google Cloud has detected that 2-step verification was disabled for the organization or a user', '["https://attack.mitre.org/tactics/TA0005","https://attack.mitre.org/techniques/T1562/"]', 'equals("log.protoPayload.methodName", "google.login.LoginService.2svDisable") +', '2026-02-09 16:31:54.675123', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (185, 'AWS IAM Brute Force of Assume Role Policy', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1110/","https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities","https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"]', 'equals("log.eventSource", "iam.amazonaws.com") && +equals("log.eventName", "UpdateAssumeRolePolicy") && +equals("log.errorCode", "MalformedPolicyDocumentException") +', '2026-02-09 16:32:22.046334', true, false, 'origin', null, '[{"indexPattern":"v11-log-aws-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (186, 'AWS Management Console Brute Force of Root User Identity', 3, 2, 1, 'Credential Access', 'T1110 - Brute Force', 'Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1110/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") && +equals("log.eventName", "ConsoleLogin") && +equals("log.userIdentityType", "root") && +(exists("log.errorCode") || exists("log.errorMessage")) +', '2026-02-09 16:32:22.185809', true, false, 'origin', null, '[{"indexPattern":"v11-log-aws-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (187, 'AWS CloudTrail Log Suspended', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") && +equals("log.eventName", "StopLogging") +', '2026-02-09 16:32:22.325347', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (193, 'AWS S3 Bucket Configuration Deletion', 3, 2, 2, 'Defense Evasion', 'T1070 - Indicator Removal', 'Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components', '["https://attack.mitre.org/techniques/T1070/","https://attack.mitre.org/tactics/TA0005/","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html","https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"]', 'equals("log.eventSource", "s3.amazonaws.com") && +oneOf("log.eventName", ["DeleteBucketPolicy", "DeleteBucketReplication", +"DeleteBucketCors", "DeleteBucketEncryption", "DeleteBucketLifecycle"]) +', '2026-02-09 16:32:23.205749', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (194, 'AWS WAF Access Control List Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html","https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"]', 'oneOf("log.eventSource", ["waf.amazonaws.com", "waf-regional.amazonaws.com", "wafv2.amazonaws.com"]) && +equals("log.eventName", "DeleteWebACL") +', '2026-02-09 16:32:23.365484', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (195, 'AWS WAF Rule or Rule Group Deletion', 3, 2, 2, 'Defense Evasion', 'T1562 - Impair Defenses', 'Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html","https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"]', 'oneOf("log.eventSource", ["waf.amazonaws.com", "waf-regional.amazonaws.com", "wafv2.amazonaws.com"]) && +(equals("log.eventName", "DeleteRule") || equals("log.eventName", "DeleteRuleGroup")) +', '2026-02-09 16:32:23.525382', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (196, 'AWS EC2 Snapshot Activity', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account', '["https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/techniques/T1537/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"]', 'equals("log.eventSource", "ec2.amazonaws.com") && +equals("log.eventName", "ModifySnapshotAttribute") +', '2026-02-09 16:32:23.686140', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (197, 'AWS EC2 VM Export Failure', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information', '["https://attack.mitre.org/techniques/T1537/","https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1005/","https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"]', 'equals("log.eventSource", "ec2.amazonaws.com") && +equals("log.eventName", "CreateInstanceExportTask") +', '2026-02-09 16:32:23.826345', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (198, 'AWS EC2 Full Network Packet Capture Detected', 3, 2, 2, 'Exfiltration', 'T1020 - Automated Exfiltration', 'Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic', '["https://attack.mitre.org/tactics/TA0010/","https://attack.mitre.org/techniques/T1020/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1074/","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html","https://github.com/easttimor/aws-incident-response"]', 'equals("log.eventSource", "ec2.amazonaws.com") && +(equals("log.eventName", "CreateTrafficMirrorFilter") || +equals("log.eventName", "CreateTrafficMirrorFilterRule") || +equals("log.eventName", "CreateTrafficMirrorSession") || +equals("log.eventName", "CreateTrafficMirrorTarget")) +', '2026-02-09 16:32:23.985624', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (199, 'AWS RDS Snapshot Export', 3, 2, 2, 'Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot', '["https://attack.mitre.org/tactics/TA0010/","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]', 'equals("log.eventSource", "rds.amazonaws.com") && +equals("log.eventName", "StartExportTask") +', '2026-02-09 16:32:24.165485', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (200, 'AWS CloudTrail Log Updated', 2, 2, 1, 'Impact', 'T1565 - Data Manipulation', 'Identifies an update to an AWS log trail setting that specifies the delivery of log files', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1565/","https://attack.mitre.org/tactics/TA0009/","https://attack.mitre.org/techniques/T1530/","https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"]', 'equals("log.eventSource", "cloudtrail.amazonaws.com") && +equals("log.eventName", "UpdateTrail") +', '2026-02-09 16:32:24.305385', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (201, 'AWS CloudWatch Log Group Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html","https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"]', 'equals("log.eventSource", "logs.amazonaws.com") && +equals("log.eventName", "DeleteLogGroup") +', '2026-02-09 16:32:24.486458', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (202, 'AWS CloudWatch Log Stream Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1562/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html","https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"]', 'equals("log.eventSource", "logs.amazonaws.com") && +equals("log.eventName", "DeleteLogStream") +', '2026-02-09 16:32:24.640434', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (203, 'AWS EC2 Encryption Disabled', 3, 2, 2, 'Impact', 'T1565 - Data Manipulation', 'Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1565/","https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html","https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"]', 'equals("log.eventSource", "ec2.amazonaws.com") && +equals("log.eventName", "DisableEbsEncryptionByDefault") +', '2026-02-09 16:32:24.801028', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (204, 'AWS IAM Deactivation of MFA Device', 3, 2, 2, 'Impact', 'T1531 - Account Access Removal', 'Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1531/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html","https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"]', 'equals("log.eventSource", "iam.amazonaws.com") && +oneOf("log.eventName", ["DeactivateMFADevice", "DeleteVirtualMFADevice"]) +', '2026-02-09 16:32:25.205887', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (205, 'AWS RDS Cluster Deletion', 3, 2, 2, 'Impact', 'T1485 - Data Destruction', 'Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster', '["https://attack.mitre.org/tactics/TA0040/","https://attack.mitre.org/techniques/T1485/","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html","https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html","https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"]', 'equals("log.eventSource", "rds.amazonaws.com") && +oneOf("log.eventName", ["DeleteDBCluster", "DeleteGlobalCluster"]) +', '2026-02-09 16:32:25.302156', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (206, 'AWS Management Console Root Login', 3, 3, 3, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies a successful login to the AWS Management Console by the Root user.
Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.
Potential false positives
It’s strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") && +equals("log.eventName", "ConsoleLogin") && +equals("log.userIdentityType", "root") +', '2026-02-09 16:32:25.445928', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (207, 'AWS IAM Password Recovery Requested', 2, 1, 0, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.
Potential false positives
Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1078/","https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"]', 'equals("log.eventSource", "signin.amazonaws.com") && +equals("log.eventName", "PasswordRecoveryRequested") +', '2026-02-09 16:32:25.576265', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (208, 'AWS Route 53 Domain Transfer Lock Disabled', 3, 2, 2, 'Persistence', 'T1098 - Account Manipulation', 'Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/tactics/TA0006/","https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html","https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"]', 'equals("log.eventSource", "route53.amazonaws.com") && +equals("log.eventName", "DisableDomainTransferLock") +', '2026-02-09 16:32:25.706232', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (209, 'AWS Execution via System Manager', 2, 1, 1, 'Initial Access', 'T1566 - Phishing', 'Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands
Potential false positives
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.', '["https://attack.mitre.org/tactics/TA0001/","https://attack.mitre.org/techniques/T1566/","https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"]', 'equals("log.eventSource", "ssm.amazonaws.com") && +equals("log.eventName", "SendCommand") +', '2026-02-09 16:32:25.836057', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (210, 'AWS IAM Assume Role Policy Update', 2, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1078/","https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]', 'equals("log.eventSource", "iam.amazonaws.com") && +equals("log.eventName", "UpdateAssumeRolePolicy") +', '2026-02-09 16:32:25.981039', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (211, 'AWS Route 53 Domain Transferred to Another Account', 3, 3, 3, 'Persistence', 'T1098 - Account Manipulation', 'Identifies when a request has been made to transfer a Route 53 domain to another AWS account', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/tactics/TA0006/","https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"]', 'equals("log.eventSource", "route53.amazonaws.com") && +equals("log.eventName", "TransferDomainToAnotherAwsAccount") +', '2026-02-09 16:32:26.116118', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (212, 'AWS Root Login Without MFA', 3, 2, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1078/","https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]', 'equals("log.eventSource", "signin.amazonaws.com") && +equals("log.eventName", "ConsoleLogin") && +equals("log.userIdentityType", "root") && +equals("log.additionalEventData.MFAUsed", "no") +', '2026-02-09 16:32:26.265969', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (213, 'Apache API Endpoint Enumeration Detection', 2, 1, 1, 'Discovery', 'T1087 - Account Discovery', 'Detects rapid sequential API endpoint enumeration by identifying multiple 404/405 responses from the same source IP in a short time window. This indicates an attacker systematically probing for valid API endpoints, hidden resources, or vulnerable paths. + +Next Steps: +1. Review the sequence of requested paths to identify the enumeration pattern +2. Check if any valid endpoints were discovered during the scan +3. Assess whether sensitive API documentation or endpoints were exposed +4. Implement rate limiting on the affected endpoints +5. Consider deploying a WAF with API protection capabilities +6. Block the source IP if scanning is confirmed +', '["https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/","https://attack.mitre.org/techniques/T1087/"]', 'exists("origin.ip") && +(equals("log.statusCode", 404) || equals("log.statusCode", 405)) && +exists("origin.path") && +( + contains("origin.path", "/api/") || + contains("origin.path", "/v1/") || + contains("origin.path", "/v2/") || + contains("origin.path", "/v3/") || + contains("origin.path", "/rest/") || + contains("origin.path", "/graphql") || + contains("origin.path", "/swagger") || + contains("origin.path", "/openapi") || + contains("origin.path", "/.env") || + contains("origin.path", "/.git") || + contains("origin.path", "/debug") || + contains("origin.path", "/actuator") || + contains("origin.path", "/healthcheck") || + contains("origin.path", "/metrics") +) +', '2026-02-09 16:37:01.731831', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.statusCode","operator":"filter_term","value":"404"}],"or":[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.statusCode","operator":"filter_term","value":"405"}],"or":null,"within":"now-5m","count":20}],"within":"now-5m","count":20}]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (214, 'Apache CVE Path Traversal and RCE Detection', 3, 3, 3, 'Exploitation', 'T1190 - Exploit Public-Facing Application', 'Detects exploitation attempts targeting known Apache HTTP Server CVEs including CVE-2021-41773 and CVE-2021-42013 path traversal/RCE vulnerabilities, as well as other Apache-specific attack patterns that enable remote code execution. + +Next Steps: +1. Immediately verify the Apache version running on the target server +2. Check if the path traversal or RCE attempt was successful (200 status code) +3. Review the server for signs of compromise or unauthorized file access +4. Patch Apache to the latest version immediately +5. Check for reverse shells or dropped files on the server +6. Block the source IP and review firewall rules +', '["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") && +exists("origin.path") && +( + contains("origin.path", ".%2e/") || + contains("origin.path", "%2e%2e/") || + contains("origin.path", "%%32%65") || + contains("origin.path", ".%%32%65/") || + contains("origin.path", "%2e%%32%65/") || + contains("origin.path", "%%32%65%%32%65/") || + (contains("origin.path", "/cgi-bin/") && contains("origin.path", "%2e%2e")) || + (contains("origin.path", "/icons/") && contains("origin.path", "%2e%2e")) || + regexMatch("origin.path", "(?i)/cgi-bin/.*\\.(sh|pl|py|cgi)\\?") || + contains("origin.path", "/server-status") || + contains("origin.path", "/server-info") +) +', '2026-02-09 16:37:01.872197', true, false, 'origin', null, '[]', '["adversary.ip","adversary.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (215, 'Apache Slowloris DoS Attack Detection', 0, 0, 3, 'Denial of Service', 'T1499.001 - Endpoint Denial of Service: OS Exhaustion Flood', 'Detects Slowloris-style slow HTTP denial of service attacks by identifying patterns of incomplete requests, connection timeouts, and excessive concurrent connections from a single source IP. Slowloris exhausts server resources by holding connections open with partial HTTP requests. + +Next Steps: +1. Check Apache connection status and active connection counts +2. Identify the source IPs with the most concurrent connections +3. Review Apache error logs for timeout and connection reset messages +4. Implement connection timeouts and mod_reqtimeout if not already configured +5. Consider rate limiting connections per IP at the firewall level +6. Deploy a reverse proxy or CDN with DDoS protection +', '["https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/","https://attack.mitre.org/techniques/T1499/001/"]', 'exists("origin.ip") && +( + (exists("log.message") && ( + contains("log.message", "request failed: error reading the headers") || + contains("log.message", "AH01382") || + contains("log.message", "AH00567") || + contains("log.message", "client denied by server configuration") || + contains("log.message", "Timeout waiting for output from CGI script") || + contains("log.message", "incomplete headers") || + contains("log.message", "request body read timeout") + )) || + (exists("log.errorCode") && ( + equals("log.errorCode", "408") || + equals("log.errorCode", "AH01382") || + equals("log.errorCode", "AH00567") + )) +) +', '2026-02-09 16:37:02.012276', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"timeout OR incomplete OR headers OR AH01382 OR AH00567"}],"or":null,"within":"now-5m","count":15}]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (216, 'Apache SSRF Attack Detection', 3, 2, 1, 'Server-Side Request Forgery', 'T1090 - Proxy', 'Detects Server-Side Request Forgery (SSRF) attempts by identifying requests containing internal IP addresses, cloud metadata endpoints, or localhost references in URL parameters. Attackers use SSRF to access internal services, cloud instance metadata, or pivot to internal networks. + +Next Steps: +1. Review the full request URL and parameters for internal IP or metadata references +2. Identify the application endpoint being targeted for SSRF +3. Check if any internal services were successfully accessed +4. Review application code for improper URL validation +5. Block the source IP if confirmed malicious +6. Implement URL allowlisting and SSRF protections in the application +', '["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery","https://attack.mitre.org/techniques/T1090/"]', 'exists("origin.ip") && +exists("origin.path") && +( + contains("origin.path", "169.254.169.254") || + contains("origin.path", "metadata.google.internal") || + contains("origin.path", "metadata.azure.com") || + regexMatch("origin.path", "(?i)(url|redirect|next|target|dest|uri|path|file|page|go|return|out|view|load|fetch)=.*(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.(1[6-9]|2[0-9]|3[01])\\.[0-9]+\\.[0-9]+|192\\.168\\.[0-9]+\\.[0-9]+)") || + regexMatch("origin.path", "(?i)(url|redirect|next|target|dest|uri|path|file|page|go|return|out|view|load|fetch)=https?://(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0)") || + contains("origin.path", "file:///") || + contains("origin.path", "gopher://") || + contains("origin.path", "dict://") || + contains("origin.path", "ftp://127") || + contains("origin.path", "ftp://localhost") +) +', '2026-02-09 16:37:02.167020', true, false, 'origin', null, '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"origin.path","operator":"filter_match","value":"169.254.169.254 OR localhost OR 127.0.0.1 OR metadata OR file:// OR gopher://"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","adversary.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (217, 'Apache Server-Side Template Injection Detection', 3, 3, 2, 'Code Injection', 'T1059 - Command and Scripting Interpreter', 'Detects Server-Side Template Injection (SSTI) payloads in Apache web server requests. Attackers inject template syntax to execute arbitrary code on the server through template engines like Jinja2, Twig, Freemarker, or Velocity. + +Next Steps: +1. Review the request URL and parameters for template injection payloads +2. Identify the template engine used by the target application +3. Check if any payloads were successfully rendered or executed +4. Review application code for unsafe template rendering +5. Implement input sanitization and template sandboxing +6. Block the source IP if confirmed malicious +', '["https://portswigger.net/research/server-side-template-injection","https://attack.mitre.org/techniques/T1059/"]', 'exists("origin.ip") && +exists("origin.path") && +( + regexMatch("origin.path", "(?i)\\{\\{[0-9]+\\*[0-9]+\\}\\}") || + regexMatch("origin.path", "(?i)\\$\\{[0-9]+\\*[0-9]+\\}") || + regexMatch("origin.path", "(?i)\\{\\{.*config.*\\}\\}") || + regexMatch("origin.path", "(?i)\\{\\{.*__class__.*\\}\\}") || + regexMatch("origin.path", "(?i)\\{\\{.*__import__.*\\}\\}") || + regexMatch("origin.path", "(?i)\\{\\{.*__builtins__.*\\}\\}") || + regexMatch("origin.path", "(?i)\\$\\{.*Runtime.*\\}") || + regexMatch("origin.path", "(?i)\\$\\{.*getRuntime.*\\}") || + regexMatch("origin.path", "(?i)#\\{.*Runtime.*\\}") || + contains("origin.path", "${T(java.lang") || + contains("origin.path", "#{T(java.lang") || + contains("origin.path", "__mro__") || + contains("origin.path", "__subclasses__") || + contains("origin.path", "{{request.") || + contains("origin.path", "${request.") +) +', '2026-02-09 16:37:02.331526', true, false, 'origin', null, '[{"indexPattern":"v11-log-apache-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"origin.path","operator":"filter_match","value":"__class__ OR __import__ OR Runtime OR __subclasses__ OR __mro__"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (218, 'Apache Web Shell Access Detection', 3, 3, 2, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects access to known web shell file paths and suspicious PHP/JSP/ASP file access patterns that indicate web shell activity. Web shells provide persistent remote access to compromised web servers. + +Next Steps: +1. Immediately investigate the accessed file path on the web server +2. Check if the file exists and examine its contents for malicious code +3. Review file creation timestamps and upload vectors +4. Scan the web directory for additional web shells +5. Check for lateral movement from the web server +6. Remove the web shell and patch the upload vulnerability +', '["https://www.microsoft.com/en-us/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/","https://attack.mitre.org/techniques/T1505/003/"]', 'exists("origin.ip") && +exists("origin.path") && +( + regexMatch("origin.path", "(?i)/(c99|r57|b374k|alfa|wso|madspot|mini|phpspy|cgitelnet|shell|cmd|eval|backdoor|hack|upload|filemanager)\\.(php|jsp|asp|aspx|cgi)") || + regexMatch("origin.path", "(?i)/(wp-content|wp-includes|wp-admin)/.*\\.(php|phtml|php[3-7])\\?.*=") || + regexMatch("origin.path", "(?i)\\.(php|jsp|asp|aspx)\\?(cmd|exec|command|shell|c|e|id|pass)=") || + contains("origin.path", "/webshell") || + contains("origin.path", "/c99.php") || + contains("origin.path", "/r57.php") || + contains("origin.path", "/b374k.php") || + contains("origin.path", "/WSO.php") || + contains("origin.path", "/alfa.php") || + contains("origin.path", "/adminer.php") || + contains("origin.path", "/phpspy.php") +) && +greaterOrEqual("log.statusCode", 200) && +lessThan("log.statusCode", 400) +', '2026-02-09 16:37:02.466959', true, false, 'origin', null, '[]', '["adversary.ip","adversary.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (219, 'Apache XXE Injection Attack Detection', 3, 2, 2, 'XML Injection', 'T1190 - Exploit Public-Facing Application', 'Detects XML External Entity (XXE) injection payloads in Apache web server requests. XXE attacks can lead to file disclosure, SSRF, denial of service, and remote code execution by exploiting XML parsers that process external entity definitions. + +Next Steps: +1. Review the request body and headers for XML payloads with external entities +2. Identify the application endpoint processing XML input +3. Check if sensitive files were disclosed (e.g., /etc/passwd, web.config) +4. Disable external entity processing in XML parsers +5. Implement input validation for XML content +6. Block the source IP if confirmed malicious +', '["https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") && +( + (exists("origin.path") && ( + regexMatch("origin.path", "(?i)]*>") || + regexMatch("target.path", "(?i)(onerror|onload|onmouseover|onclick|onfocus|onblur)\\s*=") || + contains("target.path", "javascript:") || + contains("target.path", "vbscript:") || + regexMatch("target.path", "(?i)<(img|svg|body|iframe|input|div|a)\\s+[^>]*(on\\w+)=") || + contains("target.path", "%3Cscript") || + contains("target.path", "%3cscript") || + regexMatch("target.path", "(?i)document\\.(cookie|location|write)") || + regexMatch("target.path", "(?i)(alert|confirm|prompt)\\s*\\(") || + contains("target.path", "<script") || + contains("target.path", "data:text/html") +) +', '2026-02-09 16:37:07.071599', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.path","operator":"filter_match","value":"script OR onerror OR onload OR javascript OR alert"}],"or":null,"within":"now-10m","count":5}]', '["adversary.ip","target.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (434, 'System Linux: System Log File Deletion', 3, 3, 3, 'Defense Evasion', 'T1070.002 - Indicator Removal', 'Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1070/002/"]', 'regexMatch("log.message", "(/var/run/utmp|/var/log/wtmp|/var/log/btmp|/var/log/lastlog|/var/log/faillog|/var/log/syslog|/var/log/messages|/var/log/secure|/var/log/auth.log|/var/log/boot.log|/var/log/kern.log)") && !contains("log.message", "gzip") && regexMatch("log.message", "(rm |shred -u)")', '2026-02-09 16:51:29.207828', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (250, 'IIS ISAPI Filter Exploitation Attempt', 3, 3, 3, 'Lateral Movement', 'T1210 - Exploitation of Remote Services', 'Detects attempts to exploit ISAPI filter vulnerabilities in IIS, including buffer overflow attempts and malicious extension access patterns. This rule identifies suspicious requests targeting DLL files, script directories, and other ISAPI-related endpoints that could indicate exploitation attempts. + +Next Steps: +1. Analyze the target path and HTTP method to understand the attack vector +2. Review the response time and status code for signs of successful exploitation +3. Examine the user agent string for embedded script content or encoding +4. Check for additional requests from the same IP to identify attack patterns +5. Verify if the targeted ISAPI extensions are legitimate and properly secured +6. Review IIS logs for any successful authentication or privilege escalation +7. Implement additional monitoring for the affected server and check for signs of persistence +8. Review firewall logs to identify any outbound connections from the compromised system +', '["https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/","https://attack.mitre.org/techniques/T1210/"]', 'exists("target.path") && +greaterOrEqual("log.statusCode", 200) && +( + (contains("target.path", ".dll") && equals("log.method", "POST")) || + (contains("target.path", "/scripts/") && contains("target.path", ".ida")) || + (contains("target.path", "/scripts/") && contains("target.path", ".idq")) || + (contains("target.path", "/_vti_bin/") && greaterThan("log.responseTime", 5000)) || + (contains("log.userAgent", "<%") || contains("log.userAgent", "%3C%25")) || + (regexMatch("target.path", ".*\\.(printer|idc|stm|shtm|shtml).*") && equals("log.method", "POST")) +) +', '2026-02-09 16:37:07.217495', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (251, 'IIS 8.3 Short Filename Enumeration Attack', 3, 2, 1, 'Discovery', 'T1083 - Discovery: File and Directory Discovery', 'Detects attempts to enumerate 8.3 short filenames using the tilde (~) character, which can reveal sensitive file and directory names on IIS servers. This attack technique exploits the Windows 8.3 filename convention to discover files and directories that may not be publicly accessible through normal browsing. + +Next Steps: +1. Review the source IP addresses attempting this enumeration +2. Check if any sensitive files or directories were successfully discovered +3. Verify IIS configuration to disable 8.3 filename generation if not needed +4. Implement request filtering to block requests containing tilde characters +5. Monitor for subsequent attacks from the same sources +6. Consider implementing rate limiting for suspicious request patterns +', '["https://attack.mitre.org/techniques/T1083/","https://soroush.secproject.com/blog/2014/07/iis-short-file-name-disclosure-vulnerability/"]', 'contains("target.path", "~") && +(regexMatch("target.path", ".*~[0-9].*") || regexMatch("target.path", ".*~[0-9]\\*.*")) && +(equals("log.statusCode", 404) || equals("log.statusCode", 400) || equals("log.statusCode", 200)) && +(equals("log.subStatusCode", 0) || equals("log.subStatusCode", 2)) && +!regexMatch("target.path", "(?i).*\\.(css|js|jpg|jpeg|png|gif|ico).*") +', '2026-02-09 16:37:07.361919', true, false, 'origin', '["adversary.ip","target.path"]', '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"target.path","operator":"filter_match","value":"~"}],"or":null,"within":"now-5m","count":10}]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (252, 'IIS Unicode Bypass Directory Traversal Attack', 3, 3, 2, 'Defense Evasion', 'T1027 - Obfuscated Files or Information', 'Detects Unicode encoding bypass attempts including overlong UTF-8 sequences and alternative Unicode representations used to evade security filters and access restricted files. This attack exploits Unicode normalization vulnerabilities in IIS to traverse directories and access sensitive system files. + +**Next Steps:** +1. Examine the full HTTP request including headers and POST data +2. Check if the attack was successful by reviewing response codes and content lengths +3. Verify what files or directories were accessed during the attack +4. Review server logs for any executed commands or accessed sensitive files +5. Check for other suspicious activity from the same source IP +6. Implement proper input validation and Unicode normalization +7. Consider blocking the source IP if attack continues +', '["https://www.kb.cert.org/vuls/id/111677","https://attack.mitre.org/techniques/T1027/"]', 'contains("target.path", "%c0%af") || contains("target.path", "%c0%ae") || +contains("target.path", "%c1%9c") || contains("target.path", "%c0%2f") || +contains("target.path", "%c0%5c") || contains("target.path", "%c1%8s") || +contains("target.path", "%c1%1c") || contains("target.path", "%c1%af") || +contains("target.path", "%e0%80%af") || contains("target.path", "%f0%80%80%af") || +contains("target.path", "%u2215") || contains("target.path", "%u2216") || +contains("target.path", "%uff0e") || contains("target.path", "..%c0%af") || +(contains("target.path", "winnt") && contains("target.path", "system32")) || +(contains("target.path", "cmd.exe") || contains("target.path", "command.com")) +', '2026-02-09 16:37:07.491405', true, false, 'origin', null, '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-5m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (253, 'Virtual Directory Traversal Attack', 3, 3, 2, 'Discovery', 'T1083 - File and Directory Discovery', 'Detects attempts to traverse directories and access files outside the web root through various encoding techniques and traversal sequences. This attack attempts to access files and directories that are stored outside the web root folder by using relative file paths that contain ''../'' or similar sequences. Attackers may use various encoding techniques to bypass security filters. + +Next Steps: +- Review the source IP and user agent for suspicious patterns +- Check if the requests resulted in successful responses (200, 301, 302 status codes) +- Examine the full request path and identify what files were being accessed +- Verify web application security controls and input validation +- Check for other suspicious activity from the same source IP +- Review IIS logs for any successful file access outside the web root +- Consider blocking the source IP if malicious intent is confirmed +', '["https://owasp.org/www-community/attacks/Path_Traversal","https://attack.mitre.org/techniques/T1083/"]', '( + regexMatch("target.path", ".*\\.\\.[\\\\/].*") || + regexMatch("target.path", ".*%2e%2e[\\\\/].*") || + regexMatch("target.path", ".*%252e%252e.*") || + regexMatch("target.path", ".*%c0%ae%c0%ae.*") || + regexMatch("target.path", ".*%e0%80%ae%e0%80%ae.*") || + regexMatch("target.path", ".*/Windows/System32/.*") || + regexMatch("target.path", ".*/boot\\.ini.*") || + regexMatch("target.path", ".*/win\\.ini.*") || + regexMatch("target.path", ".*/web\\.config.*") || + regexMatch("target.path", ".*/applicationHost\\.config.*") +) && +exists("target.ip") +', '2026-02-09 16:37:07.641931', true, false, 'origin', '["adversary.ip","target.ip"]', '[{"indexPattern":"v11-log-iis-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":3}]', null); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (435, 'System Linux: Modification of OpenSSH Binaries', 3, 3, 2, 'Persistence', 'T1543 - Create or Modify System Process', 'Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1543/"]', 'regexMatch("log.message", "libkeyutils.so") && !regexMatch("log.message", "(dpkg|yum|dnf|dnf-automatic)") && regexMatch("log.message", "(/usr/sbin/sshd|/usr/bin/ssh|/usr/bin/sftp|/usr/bin/scp)")', '2026-02-09 16:51:29.367617', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (254, 'IIS Web Shell Upload Detection', 3, 3, 1, 'Initial Access', 'T1505.003 - Server Software Component: Web Shell', 'Detects potential web shell uploads based on suspicious file extensions and POST requests to uncommon paths. This rule identifies POST requests to ASP.NET-related file extensions in suspicious directory paths commonly used for web shell placement. + +Next Steps: +1. Immediately investigate the target server and file path for uploaded web shells +2. Check file system for recently uploaded .aspx, .asp, .asmx, .ashx, or .axd files +3. Review IIS logs for additional suspicious requests from the same source IP +4. Examine the uploaded file content for malicious code +5. Check for privilege escalation attempts following the upload +6. Review authentication logs for compromised accounts +7. Implement file upload restrictions and input validation +8. Block the source IP if confirmed malicious +9. Scan the entire web directory for additional web shells +10. Review recent file modifications on the web server +', '["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/","https://attack.mitre.org/techniques/T1505/003/"]', 'equals("log.method", "POST") && +exists("target.path") && +( + contains("target.path", ".aspx") || + contains("target.path", ".asp") || + contains("target.path", ".asmx") || + contains("target.path", ".ashx") || + contains("target.path", ".axd") +) && +( + regexMatch("target.path", "(?i)upload") || + regexMatch("target.path", "(?i)temp") || + regexMatch("target.path", "(?i)tmp") || + regexMatch("target.path", "(?i)test") || + regexMatch("target.path", "(?i)shell") || + regexMatch("target.path", "(?i)cmd") || + regexMatch("target.path", "(?i)eval") || + regexMatch("target.path", "(?i)exec") || + regexMatch("target.path", "(?i)webshell") || + regexMatch("target.path", "(?i)backdoor") +) && +greaterOrEqual("log.statusCode", 200) && +lessThan("log.statusCode", 300) +', '2026-02-09 16:37:07.793258', true, false, 'origin', null, '[]', '["adversary.ip","target.path"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (255, 'Kibana Dev Tools Dangerous Query Detection', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects dangerous queries executed via Kibana Dev Tools console including index deletions, security setting changes, user creation, and role modifications. Dev Tools provides direct API access that can be abused by compromised accounts. + +Next Steps: +1. Review the queries executed through Dev Tools +2. Identify the user account and session +3. Check if any destructive operations succeeded +4. Restrict Dev Tools access to authorized administrators +5. Review Kibana role assignments for over-privileged users +6. Enable audit logging for Kibana API actions +', '["https://www.elastic.co/guide/en/kibana/current/console-kibana.html","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") && +( + (contains("log.message", "console") && ( + contains("log.message", "DELETE /") || + contains("log.message", "_security/user") || + contains("log.message", "_security/role") || + contains("log.message", "_cluster/settings") || + contains("log.message", "_snapshot") || + contains("log.message", "_scripts") || + contains("log.message", "_reindex") + )) || + (contains("log.message", "dev_tools") && contains("log.message", "execute")) +) +', '2026-02-09 16:37:07.921649', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (256, 'Kibana Mass Report Export Exfiltration Detection', 3, 1, 1, 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects mass report generation and CSV exports from Kibana that could indicate data exfiltration. Attackers with Kibana access can export large datasets via the reporting feature. + +Next Steps: +1. Review the reports generated and their data content +2. Verify the user account and export authorization +3. Check the report download destinations +4. Restrict reporting permissions to authorized users +5. Implement data export limits and approval workflows +6. Monitor for large data downloads from Kibana +', '["https://www.elastic.co/guide/en/kibana/current/reporting-getting-started.html","https://attack.mitre.org/techniques/T1048/"]', 'exists("log.message") && +( + (contains("log.message", "reporting") && contains("log.message", "generate")) || + (contains("log.message", "csv_searchsource") && contains("log.message", "created")) || + (contains("log.message", "report") && contains("log.message", "export")) || + (contains("log.message", "/api/reporting/generate") && exists("origin.ip")) || + (contains("log.message", "csv") && contains("log.message", "download")) +) +', '2026-02-09 16:37:08.066867', true, false, 'origin', null, '[{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"reporting OR csv OR export OR generate"}],"or":null,"within":"now-30m","count":5}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (257, 'Kibana Malicious Saved Object Import Detection', 3, 3, 2, 'Code Execution', 'T1059 - Command and Scripting Interpreter', 'Detects potentially malicious saved object imports in Kibana that could include crafted visualizations, dashboards, or scripted fields designed to execute code or exfiltrate data. + +Next Steps: +1. Review the imported saved objects for malicious content +2. Check for scripted fields in imported index patterns +3. Verify the import source and user authorization +4. Remove suspicious saved objects immediately +5. Review Kibana scripted field permissions +6. Restrict saved object import to administrator roles +', '["https://www.elastic.co/guide/en/kibana/current/saved-objects-api-import.html","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") && +( + (contains("log.message", "saved_objects") && contains("log.message", "_import")) || + (contains("log.message", "import") && contains("log.message", "saved object")) || + (contains("log.message", "saved_objects/_bulk_create") && exists("origin.ip")) || + (contains("log.message", "scripted_field") && contains("log.message", "created")) || + (contains("log.message", "visualization") && contains("log.message", "import") && contains("log.message", "script")) +) +', '2026-02-09 16:37:08.201941', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (258, 'Potential Session Hijacking Activity', 3, 3, 2, 'Collection', 'T1185 - Browser Session Hijacking', 'Detects potential session hijacking activities based on suspicious authentication patterns, multiple IP addresses using the same session, or rapid location changes that may indicate stolen session tokens. + +Next Steps: +1. Investigate the user account and recent login patterns +2. Check for concurrent sessions from different IP addresses or locations +3. Review session activity logs for unusual behavior patterns +4. Verify if the user reported any suspicious activity +5. Consider forcing session termination and requiring re-authentication +6. Check for any recent credential compromise indicators +7. Review security controls on user workstations and browsers +', '["https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html","https://attack.mitre.org/techniques/T1185/"]', 'contains("log.actionMessage", "http_request") && +exists("origin.user") && +(contains("log.actionMessage", "session") || + contains("log.component", "security")) && +(equals("actionResult", "failure") || + equals("log.severityLabel", "warning") || + equals("log.severityLabel", "error")) +', '2026-02-09 16:37:08.331295', true, false, 'origin', null, '[{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-1h","count":20},{"indexPattern":"v11-log-kibana-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"},{"field":"origin.ip","operator":"must_not_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":1}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (259, 'XSS Attack Attempt Detection', 3, 3, 1, 'Execution', 'T1059.007 - Cross-Site Scripting', 'Detects potential XSS attack attempts in Kibana through malicious script injection in search queries, field formatters, or visualization titles. This rule identifies common XSS patterns including script tags, JavaScript execution, and event handlers that could indicate an attempt to inject malicious code into Kibana interfaces. + +Next Steps: +1. Review the specific log message and action that triggered this alert +2. Check the user''s recent activity in Kibana for other suspicious actions +3. Examine the affected Kibana component for potential compromise +4. Review Kibana access logs for the source IP and user +5. Consider blocking the source IP if malicious activity is confirmed +6. Update Kibana security configurations and input validation +7. Implement Content Security Policy (CSP) headers to prevent XSS execution +8. Review and sanitize all user inputs in Kibana dashboards and visualizations +', '["https://www.elastic.co/guide/en/kibana/current/security-best-practices.html","https://attack.mitre.org/techniques/T1059/007/"]', '(equals("log.component", "visualize") || + equals("log.component", "discover") || + equals("log.component", "security")) && +( + regexMatch("log.actionMessage", ".*.*.*") || + contains("log.actionMessage", "javascript:") || + contains("log.actionMessage", "onerror=") || + contains("log.actionMessage", "onload=") || + contains("log.actionMessage", " 1000) || + (regexMatch("log.msg", "(?i)KEYS\\s+\\*") && !equals("log.levelEnc", "debug")) || + (regexMatch("log.msg", "(?i)(SCAN|HSCAN|SSCAN|ZSCAN)\\s+\\d+\\s+MATCH\\s+\\*\\s+COUNT\\s+[1-9]\\d{3,}")) || + (regexMatch("log.msg", "(?i)(BGSAVE|SAVE|LASTSAVE)") && regexMatch("log.msg", "(?i)(remote|external|http|ftp)")) || + (regexMatch("log.msg", "(?i)SELECT\\s+\\d+") && regexMatch("log.msg", "(?i)(KEYS\\s+\\*|SCAN\\s+0)")) || + (regexMatch("log.msg", "(?i)MIGRATE\\s+\\d+\\.\\d+\\.\\d+\\.\\d+")) || + (regexMatch("log.msg", "(?i)(GET|HGETALL|SMEMBERS|ZRANGE).*") && regexMatch("log.msg", "(?i)(password|secret|token|api[_-]?key|private[_-]?key)")) +) +', '2026-02-09 16:37:16.006831', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":10}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (308, 'Redis Lua Script Injection Attack', 3, 3, 3, 'Execution', 'Script Injection', 'Detects potential Lua script injection attacks in Redis including malicious EVAL/EVALSHA commands, script-based exploitation attempts, or suspicious scripting activity. + +Next Steps: +1. Immediately review the Redis logs to identify the source of the suspicious script commands +2. Check if the Redis instance is exposed to untrusted networks +3. Verify that Redis authentication is properly configured and strong passwords are in use +4. Review all Lua scripts loaded into Redis for malicious code +5. Consider implementing command blacklisting for EVAL/EVALSHA if not required +6. Monitor for any unauthorized data access or modification following the alert +7. If compromise is confirmed, rotate Redis passwords and review all stored data for tampering +', '["https://antirez.com/news/119","https://redis.io/docs/latest/develop/interact/programmability/lua-debugging/","https://attack.mitre.org/techniques/T1059/007/"]', 'exists("log.message") && ( + contains("log.message", "Cross Protocol Scripting") || + (contains("log.message", "POST") && contains("log.message", "Host:")) || + (contains("log.message", "EVAL") && contains("log.message", ["os.execute", "io.popen", "io.open", "loadfile", "dofile"])) || + contains("log.message", "Lua script attempted to access") || + (contains("log.message", "lua") && contains("log.message", "attack")) +) +', '2026-02-09 16:37:16.166915', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (309, 'Redis Persistence Mechanism Abuse Detected', 3, 3, 2, 'Persistence', 'T1505: Server Software Component', 'Detects attempts to abuse Redis persistence mechanisms for maintaining unauthorized access, including suspicious RDB/AOF operations, module loading for backdoors, or configuration changes to establish persistence. + +Next Steps: +1. Immediately review the Redis server configuration changes and module operations +2. Check if any unauthorized modules were loaded using MODULE LIST command +3. Examine Redis data directory for suspicious files (crontab, authorized_keys, shell scripts) +4. Review Redis access logs for the source IP and authentication method used +5. Verify if RDB/AOF files have been written to unusual locations +6. Check system cron jobs and SSH authorized_keys for signs of compromise +7. Consider rotating Redis passwords and implementing ACL restrictions +8. Enable Redis command logging if not already active for forensic analysis +', '["https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0","https://attack.mitre.org/techniques/T1505/"]', 'exists("log.message") && ( + (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+(save|appendonly|appendfsync|aof-rewrite)")) || + (regexMatch("log.message", "(?i)MODULE\\s+LOAD\\s+") && !regexMatch("log.message", "(?i)(redis[_-]?search|redis[_-]?graph|redis[_-]?timeseries|redis[_-]?json|redis[_-]?bloom)")) || + (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+dir\\s+/(root|home|usr|etc|var/spool/cron)")) || + (regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+dbfilename\\s+(crontab|authorized_keys|passwd|shadow|\\.bashrc|\\.profile)")) || + (regexMatch("log.message", "(?i)(BGREWRITEAOF|BGSAVE)") && regexMatch("log.message", "(?i)(ssh|cron|bash|shell)")) || + (equals("log.roleEnc", "master") && regexMatch("log.message", "(?i)Synchronization\\s+with\\s+replica.*module\\s+load")) || + (regexMatch("log.message", "(?i)MODULE\\s+(LIST|UNLOAD)") && equals("log.levelEnc", "error")) +) +', '2026-02-09 16:37:16.326627', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (310, 'Redis ACL Manipulation Detection', 3, 3, 2, 'Persistence', 'T1098 - Account Manipulation', 'Detects manipulation of Redis ACL to create backdoor accounts, modify existing user permissions, or disable authentication. Attackers use ACL SETUSER to create persistent access with full privileges. + +Next Steps: +1. Review the ACL changes to identify unauthorized user modifications +2. List all current Redis users with ACL LIST +3. Remove unauthorized user accounts +4. Verify the default user is properly restricted +5. Check for requirepass/masterauth changes +6. Implement ACL file persistence and monitoring +', '["https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/","https://attack.mitre.org/techniques/T1098/"]', 'exists("log.message") && +( + regexMatch("log.message", "(?i)ACL\\s+SETUSER") || + regexMatch("log.message", "(?i)ACL\\s+DELUSER") || + regexMatch("log.message", "(?i)ACL\\s+SAVE") || + regexMatch("log.message", "(?i)ACL\\s+LOAD") || + regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+requirepass") || + regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+masterauth") || + (contains("log.message", "ACL SETUSER") && contains("log.message", "allcommands")) || + (contains("log.message", "ACL SETUSER") && contains("log.message", "allkeys")) +) +', '2026-02-09 16:37:16.476558', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (311, 'Redis Data Destruction Detection', 1, 3, 3, 'Data Destruction', 'T1485 - Data Destruction', 'Detects Redis data destruction commands including FLUSHALL, FLUSHDB, and DEBUG SLEEP that could indicate an attacker wiping data or preparing for ransomware. These commands irreversibly delete all data from Redis databases. + +Next Steps: +1. Verify if the FLUSH command was authorized +2. Check if RDB/AOF persistence files are intact for recovery +3. Identify the source of the destructive command +4. Restore data from backups immediately if unauthorized +5. Restrict FLUSH commands via Redis ACL +6. Monitor for ransom messages or follow-up demands +', '["https://redis.io/docs/latest/commands/flushall/","https://attack.mitre.org/techniques/T1485/"]', 'exists("log.message") && +( + regexMatch("log.message", "(?i)FLUSHALL") || + regexMatch("log.message", "(?i)FLUSHDB") || + regexMatch("log.message", "(?i)DEBUG\\s+SET-ACTIVE-EXPIRE") || + (contains("log.message", "CONFIG SET") && contains("log.message", "save") && contains("log.message", "\"\"")) || + regexMatch("log.message", "(?i)CONFIG\\s+SET\\s+appendonly\\s+no") +) +', '2026-02-09 16:37:16.631959', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (312, 'Redis Rogue Replication Attack Detection', 3, 3, 3, 'Exploitation', 'T1210 - Exploitation of Remote Services', 'Detects rogue Redis replication attacks using SLAVEOF or REPLICAOF commands to connect the target Redis instance to an attacker-controlled server. This technique is used to load malicious Redis modules, exfiltrate data, or achieve remote code execution. + +Next Steps: +1. Verify the replication target address is a legitimate Redis master +2. Check for any loaded modules after the replication command +3. Review Redis configuration for unauthorized changes +4. Disconnect from the rogue master using REPLICAOF NO ONE +5. Check for data exfiltration or corruption +6. Restrict SLAVEOF/REPLICAOF commands via ACL +', '["https://redis.io/docs/latest/operate/oss_and_stack/management/replication/","https://attack.mitre.org/techniques/T1210/"]', 'exists("log.message") && +( + regexMatch("log.message", "(?i)(SLAVEOF|REPLICAOF)\\s+[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+") || + regexMatch("log.message", "(?i)(SLAVEOF|REPLICAOF)\\s+\\w+") || + (contains("log.message", "MASTER <-> REPLICA") && contains("log.message", "sync started")) || + (contains("log.message", "Connecting to MASTER") && !contains("log.message", "already connected")) || + contains("log.message", "FULLRESYNC") || + regexMatch("log.message", "(?i)MODULE\\s+LOAD") +) && +!contains("log.message", "REPLICAOF NO ONE") && +!contains("log.message", "SLAVEOF NO ONE") +', '2026-02-09 16:37:16.781895', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (313, 'Redis Unauthorized Access Pattern Detected', 3, 3, 2, 'Initial Access', 'T1078 - Valid Accounts', 'Detects patterns indicative of unauthorized access attempts to Redis including authentication failures, dangerous command usage without authentication, or attempts to bypass security restrictions. This rule identifies potential Redis security breaches through analysis of log messages for authentication failures, dangerous administrative commands, and unauthorized client activities. + +Next Steps: +1. Verify the legitimacy of the Redis client connection from the identified origin host +2. Check Redis authentication configuration and ensure AUTH is properly enabled +3. Review Redis configuration for exposed dangerous commands (FLUSHALL, FLUSHDB, CONFIG) +4. Investigate if any data was compromised during the unauthorized access attempt +5. Consider implementing Redis ACLs and restricting dangerous commands +6. Monitor for data exfiltration attempts from the affected Redis instance +', '["https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419","https://attack.mitre.org/techniques/T1078/"]', 'exists("log.msg") && ( + (regexMatch("log.msg", "(?i)(AUTH\\s+failed|invalid\\s+password|authentication\\s+required)")) || + (regexMatch("log.msg", "(?i)(FLUSHALL|FLUSHDB|CONFIG\\s+(GET|SET)|KEYS\\s+\\*|SCAN\\s+0)") && equals("log.severity", "warning")) || + (regexMatch("log.msg", "(?i)CONFIG\\s+SET\\s+(dir\\s+/|dbfilename\\s+authorized_keys)")) || + (regexMatch("log.msg", "(?i)(SAVE|BGSAVE).*ssh|authorized_keys")) || + (regexMatch("log.msg", "(?i)Client\\s+id=\\d+\\s+addr=.*\\s+name=.*\\s+cmd=(flushall|flushdb|config)")) || + (equals("log.severity", "high") && regexMatch("log.msg", "(?i)(Possible\\s+security\\s+attack|unauthorized\\s+client)")) +) +', '2026-02-09 16:37:16.916919', true, false, 'origin', null, '[{"indexPattern":"v11-log-redis-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":5}]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (314, 'AWS SSM Agent Hijacking - Unauthorized Registration', 3, 3, 3, 'Command and Control', 'T1219 - Remote Access Software', 'Detects unauthorized re-registration of the AWS Systems Manager (SSM) agent with a different AWS account. Attackers with local access to an EC2 instance can re-register the SSM agent to their own AWS account, gaining persistent remote command execution capability through a legitimate AWS service. This technique is particularly dangerous because SSM traffic blends with normal AWS API calls. + +Next Steps: +1. Verify the SSM agent registration is pointing to the correct AWS account +2. Check the activation code and ID used in the registration +3. Compare the SSM agent configuration with expected values from your AWS account +4. Review SSM session history for unauthorized command execution +5. Check CloudTrail logs for SSM API calls from unexpected accounts +6. Re-register the SSM agent with your legitimate AWS account +7. Investigate how the attacker gained local access to the instance +8. Rotate all credentials accessible from the compromised instance +', '["https://attack.mitre.org/techniques/T1219/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml","https://www.mitiga.io/blog/new-attack-vector-aws-ssm-agent-as-a-remote-access-trojan"]', 'exists("log.message") && +regexMatch("log.message", "(?i)amazon-ssm-agent\\s+.*-register\\s+.*-(code|id|region)") +', '2026-02-09 16:39:06.621928', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (315, 'Base64 Decode Piped to Shell Execution', 3, 3, 2, 'Defense Evasion', 'T1140 - Deobfuscate/Decode Files or Information', 'Detects base64-encoded content being decoded and piped directly to bash or sh for execution. This is an extremely common technique used by malware droppers, initial access scripts, and post-exploitation frameworks to evade detection by encoding malicious commands. Legitimate use of base64 piped to shell execution is very rare in production environments. + +Next Steps: +1. Capture and decode the base64 payload to understand what was executed +2. Identify the source of the encoded command (downloaded file, cron job, web request) +3. Check for persistence mechanisms installed by the decoded payload +4. Review network connections for C2 communication +5. Search for similar base64 patterns across all systems +6. Investigate the user account and parent process chain +7. Look for file drops or modifications made by the executed payload +', '["https://attack.mitre.org/techniques/T1140/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)base64\\s+-d.*\\|\\s*(ba)?sh") || + regexMatch("log.message", "(?i)base64\\s+--decode.*\\|\\s*(ba)?sh") || + regexMatch("log.message", "(?i)echo\\s+.*\\|\\s*base64\\s+-d\\s*\\|\\s*(ba)?sh") || + regexMatch("log.message", "(?i)\\|\\s*base64\\s+-(d|decode)\\s*\\|\\s*(ba)?sh")) +', '2026-02-09 16:39:06.727070', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (316, 'BPFDoor Backdoor Indicators', 3, 3, 3, 'Malware Detection', 'T1205.002 - Traffic Signaling: Socket Filters', 'Detects indicators of the BPFDoor backdoor, a sophisticated Linux malware used by APT groups (particularly Red Menshen/DecisiveArchitect). BPFDoor uses Berkeley Packet Filters (BPF) to monitor network traffic and respond to magic packets, making it extremely stealthy. It hides by deleting its own binary and running from memory, using specific file paths and socket operations. + +Next Steps: +1. THIS IS A HIGH-CONFIDENCE APT INDICATOR - immediately activate incident response +2. Isolate the affected host but preserve running processes for memory analysis +3. Check for BPF socket filters attached to network interfaces +4. Look for processes with deleted binary files (ls -la /proc/*/exe | grep deleted) +5. Search for BPFDoor-specific files: /var/run/haldrund.pid, /dev/shm/kdmtmpflush +6. Capture full memory dump before any remediation +7. Hunt for lateral movement and other compromised hosts +8. Engage threat intelligence team for APT attribution +', '["https://attack.mitre.org/techniques/T1205/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml","https://www.trendmicro.com/en_us/research/23/e/bpfdoor-linux-backdoor.html"]', 'exists("log.message") && +(contains("log.message", "/var/run/haldrund.pid") || + contains("log.message", "/dev/shm/kdmtmpflush") || + contains("log.message", "kdmtmpflush") || + contains("log.message", "haldrund") || + regexMatch("log.message", "(?i)/tmp/\\.(lock|font|pid)") || + (contains("log.message", "BPF") && contains("log.message", "socket")) || + contains("log.message", "bpfdoor")) +', '2026-02-09 16:39:06.890835', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (317, 'Bash /dev/tcp Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects the classic bash reverse shell pattern using /dev/tcp, including "bash -i >& /dev/tcp/" and "exec 3<>/dev/tcp/" variants. The /dev/tcp pseudo-device is a bash built-in for TCP connections and its use in command lines is almost exclusively malicious. This is one of the most commonly used reverse shell techniques. + +Next Steps: +1. Immediately isolate the affected host from the network +2. Extract the destination IP and port from the /dev/tcp path +3. Block the C2 IP at the network perimeter +4. Identify the user account and process tree that executed the command +5. Check for initial access vector and persistence mechanisms +6. Hunt for the same C2 IP across all systems +7. Perform full forensic analysis of the compromised host +', '["https://attack.mitre.org/techniques/T1059/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_susp_dev_tcp.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s*/dev/tcp/") || + regexMatch("log.message", "(?i)exec\\s+\\d+<>/dev/tcp/") || + contains("log.message", "/dev/tcp/")) +', '2026-02-09 16:39:07.031456', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (318, 'Credential File Copied to Staging Directory', 3, 2, 1, 'Credential Access', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'Detects the copying of credential files (/etc/passwd, /etc/shadow, /etc/gshadow) to world-readable staging directories like /tmp or /dev/shm. This is a direct indicator of credential theft where an attacker stages sensitive files for exfiltration or offline password cracking. Legitimate administrators never copy these files to /tmp. + +Next Steps: +1. Immediately remove the copied credential files from /tmp or /dev/shm +2. Identify the user account that performed the copy +3. Check if the shadow file was accessed - if so, assume all local passwords are compromised +4. Force password resets for all local accounts on the affected system +5. Investigate how the attacker gained the privileges to read /etc/shadow +6. Look for exfiltration attempts (scp, curl, nc) from the same host +7. Check for password cracking tool downloads or execution +', '["https://attack.mitre.org/techniques/T1552/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/tmp") || + regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/dev/shm") || + regexMatch("log.message", "(?i)cp\\s+/etc/(passwd|shadow|gshadow)\\s+/var/tmp") || + regexMatch("log.message", "(?i)cat\\s+/etc/(shadow|gshadow)\\s*>\\s*/tmp/") || + regexMatch("log.message", "(?i)cat\\s+/etc/(shadow|gshadow)\\s*>\\s*/dev/shm/")) +', '2026-02-09 16:39:07.182341', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (319, 'Immutable File Flag Removal via chattr', 1, 3, 2, 'Defense Evasion', 'T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification', 'Detects the removal of the immutable flag from files using chattr -i. The immutable flag prevents files from being modified or deleted, even by root. Ransomware and rootkits commonly remove this flag before modifying or encrypting protected system files. + +Next Steps: +1. Identify which files had their immutable flag removed +2. Check if those files were subsequently modified or deleted +3. Look for ransomware indicators (encryption, ransom notes) +4. Examine the process and user that executed chattr +5. Verify the integrity of the affected files +6. Restore the immutable flag on critical system files +', '["https://attack.mitre.org/techniques/T1222/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml"]', 'contains("log.message", "chattr") && +contains("log.message", "-i") +', '2026-02-09 16:39:07.331792', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (441, 'System Linux: Potential Protocol Tunneling via EarthWorm', 3, 3, 2, 'Command and Control', 'T1572 - Protocol Tunneling', 'Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.', '["https://attack.mitre.org/tactics/TA0011/","https://attack.mitre.org/techniques/T1572/"]', 'contains("log.message", "-s") && contains("log.message", "-d") && contains("log.message", "rssocks")', '2026-02-09 16:51:30.327138', true, false, 'target', null, '[]', '["target.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (320, 'Cryptocurrency Mining Command Line Indicators', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects cryptocurrency mining software execution based on distinctive command-line arguments. This includes mining-specific parameters such as --cpu-priority, --donate-level, stratum+tcp://, --algo=rx/0, and other Monero/XMR mining indicators. Unauthorized crypto mining is a common objective of automated Linux exploits and worms. + +Next Steps: +1. Identify and terminate the mining process immediately +2. Determine the mining pool and wallet address being used +3. Check CPU utilization to confirm active mining +4. Investigate how the miner was installed (exploit, compromised credentials, malicious package) +5. Search for persistence mechanisms (cron jobs, systemd services, init scripts) +6. Check for additional compromised hosts mining to the same pool +7. Remove all mining-related files and restore system to clean state +8. Patch the vulnerability that led to the initial compromise +', '["https://attack.mitre.org/techniques/T1496/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml"]', 'exists("log.message") && +(contains("log.message", "--donate-level") || + contains("log.message", "stratum+tcp://") || + contains("log.message", "stratum+ssl://") || + contains("log.message", "stratum+tls://") || + contains("log.message", "--coin=") || + regexMatch("log.message", "(?i)--algo=(rx/0|cn/|randomx|cryptonight)") || + contains("log.message", "--cpu-priority") || + contains("log.message", "--threads=") || + regexMatch("log.message", "(?i)(xmrig|xmr-stak|cpuminer|minerd|cgminer|bfgminer|ethminer|nbminer|t-rex)") || + contains("log.message", "pool.minexmr.com") || + contains("log.message", "pool.hashvault.pro")) +', '2026-02-09 16:39:07.486686', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (321, 'Cryptocurrency Mining Pool Connection', 1, 2, 3, 'Resource Hijacking', 'T1496 - Resource Hijacking', 'Detects network connections or DNS lookups to known cryptocurrency mining pool hostnames. This covers major Monero, Bitcoin, and Ethereum mining pools. Connections to these hosts from production servers are almost always indicators of unauthorized cryptocurrency mining. + +Next Steps: +1. Identify the process making connections to mining pools +2. Terminate the mining process and remove associated files +3. Block mining pool domains and IPs at the firewall/proxy +4. Check for persistence mechanisms maintaining the miner +5. Investigate the initial compromise vector +6. Audit other systems for similar mining pool connections +7. Review DNS logs for mining pool lookups from other hosts +', '["https://attack.mitre.org/techniques/T1496/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml"]', 'exists("log.message") && +regexMatch("log.message", "(?i)(pool\\.minergate\\.com|xmrpool\\.eu|moneropool\\.com|monerohash\\.com|minexmr\\.com|pool\\.hashvault\\.pro|xmr\\.nanopool\\.org|xmr\\.2miners\\.com|pool\\.supportxmr\\.com|xmr-eu1\\.nanopool\\.org|xmr-eu2\\.nanopool\\.org|xmr-us-east1\\.nanopool\\.org|xmr-us-west1\\.nanopool\\.org|xmr-asia1\\.nanopool\\.org|randomxmonero\\.auto|gulf\\.moneroocean\\.stream|xmr\\.herominers\\.com|pool\\.xmr\\.pt|xmr\\.f2pool\\.com|xmrpool\\.net|xmr-eu\\.dwarfpool\\.com|monero\\.crypto-pool\\.fr|mine\\.c3pool\\.com)") +', '2026-02-09 16:39:07.611500', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (322, 'Process Memory Injection via dd', 3, 3, 2, 'Defense Evasion', 'T1055.009 - Process Injection: Proc Memory', 'Detects the use of dd to write to /proc/PID/mem, which is a process injection technique. By writing directly to a process''s memory space through the proc filesystem, attackers can inject malicious code into legitimate running processes to evade detection and gain the process''s privileges. + +Next Steps: +1. Identify the target process whose memory was written to +2. Examine the source data being injected into the process +3. Check if the target process is a privileged or security-sensitive process +4. Review the injecting process and its parent chain +5. Dump and analyze the target process memory for injected code +6. Investigate the system for additional process injection attempts +', '["https://attack.mitre.org/techniques/T1055/009/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml"]', 'contains("log.message", "dd ") && +regexMatch("log.message", "/proc/[0-9]+/mem") +', '2026-02-09 16:39:07.767041', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (323, 'Download and Execute from Staging Directory', 3, 3, 3, 'Execution', 'T1105 - Ingress Tool Transfer', 'Detects the pattern of downloading a file using curl or wget to /tmp or /dev/shm and then executing it. This is one of the most common multi-stage attack patterns where an attacker downloads a payload from their infrastructure to a staging directory and immediately executes it. This pattern is seen in cryptocurrency miners, botnet agents, and initial compromise payloads. + +Next Steps: +1. Identify the URL from which the file was downloaded +2. Block the download URL and associated domain at the proxy/firewall +3. Retrieve and analyze the downloaded file (if still present) for malware analysis +4. Check for persistence mechanisms installed by the payload +5. Review network connections for C2 communication +6. Hunt for the same download URL or file hash across all systems +7. Investigate the initial access vector that led to the download command +', '["https://attack.mitre.org/techniques/T1105/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(curl|wget)\\s+.*-o\\s+(/tmp/|/dev/shm/|/var/tmp/)") || + regexMatch("log.message", "(?i)(curl|wget)\\s+.*>\\s*(/tmp/|/dev/shm/|/var/tmp/)") || + regexMatch("log.message", "(?i)(curl|wget)\\s+.*(/tmp/|/dev/shm/).*&&.*chmod.*\\+x") || + regexMatch("log.message", "(?i)(curl|wget)\\s+.*\\|\\s*(ba)?sh") || + regexMatch("log.message", "(?i)(curl|wget)\\s+.*(/tmp/|/dev/shm/).*&&.*/tmp/")) +', '2026-02-09 16:39:07.922334', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (324, 'ESXi VM Process Kill - Ransomware Precursor', 2, 3, 3, 'Impact', 'T1529 - System Shutdown/Reboot', 'Detects the use of esxcli to kill virtual machine processes on VMware ESXi hypervisors. This is a critical pre-encryption step used by ransomware groups (ESXiArgs, Royal, LockBit, BlackBasta) to shut down VMs before encrypting their VMDK files. The esxcli vm process kill command is the standard method used by ESXi ransomware variants. + +Next Steps: +1. THIS IS A CRITICAL ALERT - immediately isolate the ESXi host from the network +2. Check if ransomware encryption has already begun (look for .encrypted, .locked extensions on datastores) +3. Identify all VMs that were killed and assess business impact +4. Determine how the attacker gained access to the ESXi host (CVE exploitation, stolen credentials) +5. Verify ESXi host integrity and check for dropped ransomware binaries +6. Check for ransom notes on datastores +7. Do NOT restart VMs until forensic analysis is complete +8. Activate incident response and business continuity procedures +', '["https://attack.mitre.org/techniques/T1529/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)esxcli\\s+vm\\s+process\\s+kill") || + regexMatch("log.message", "(?i)vim-cmd\\s+vmsvc/power\\.off") || + regexMatch("log.message", "(?i)esxcli\\s+vm\\s+process\\s+list")) +', '2026-02-09 16:39:08.066746', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (325, 'Suspicious Process Execution from /tmp Directory', 3, 3, 2, 'Execution', 'T1036 - Masquerading', 'Detects process execution from the /tmp directory, which is a world-writable location commonly used by attackers to stage and execute malware. Legitimate applications rarely execute from /tmp. This pattern is seen in initial access payloads, cryptocurrency miners, reverse shells, and automated exploitation tools. + +Next Steps: +1. Identify the specific binary or script executing from /tmp +2. Calculate the file hash and check against threat intelligence feeds +3. Determine how the file was placed in /tmp (downloaded, transferred, compiled) +4. Review the process''s network connections and child processes +5. Check for persistence mechanisms that reference the /tmp file +6. Remove the malicious file and any associated persistence +7. Investigate the initial access vector that led to the file placement +', '["https://attack.mitre.org/techniques/T1036/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)exec(ve)?.*(/tmp/|/var/tmp/|/dev/shm/)") || + regexMatch("log.message", "(?i)/tmp/[a-zA-Z0-9._-]+\\s+(started|running|executed)") || + regexMatch("log.message", "(?i)sh\\s+-c\\s+/tmp/") || + regexMatch("log.message", "(?i)bash\\s+/tmp/") || + regexMatch("log.message", "(?i)chmod\\s+\\+x\\s+/tmp/.*&&.*/tmp/")) +', '2026-02-09 16:39:08.207093', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":2}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (326, 'Shell History File Deletion', 1, 3, 1, 'Defense Evasion', 'T1070.003 - Indicator Removal: Clear Command History', 'Detects deletion, truncation, or clearing of shell history files (.bash_history, .zsh_history, .sh_history). Attackers delete history files to remove evidence of their commands after compromising a system. This is a common anti-forensic technique used during post-exploitation. + +Next Steps: +1. Identify the user account that deleted the history file +2. Check for remaining shell history in other locations (syslog, auditd) +3. Review SIEM/remote log data for the commands that were likely being hidden +4. Investigate what activities preceded the history deletion +5. Look for other anti-forensic indicators (log clearing, timestamp manipulation) +6. Check for persistence mechanisms and ongoing compromise +7. Correlate with other alerts from the same host +', '["https://attack.mitre.org/techniques/T1070/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(rm|shred|unlink)\\s+.*\\.(bash_history|zsh_history|sh_history|history)") || + regexMatch("log.message", "(?i)>\\s*~/?\\.?(bash_history|zsh_history|sh_history)") || + regexMatch("log.message", "(?i)cat\\s+/dev/null\\s*>.*\\.(bash_history|zsh_history)") || + regexMatch("log.message", "(?i)truncate\\s+.*\\.(bash_history|zsh_history)") || + contains("log.message", "HISTFILE=/dev/null") || + contains("log.message", "unset HISTFILE") || + contains("log.message", "set +o history") || + contains("log.message", "HISTSIZE=0")) +', '2026-02-09 16:39:08.351829', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (327, 'Java Process Spawning Suspicious Child Process', 3, 3, 3, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Java processes spawning suspicious child processes such as bash, sh, curl, wget, or python. This pattern is a strong indicator of exploitation of Java applications including Log4Shell (CVE-2021-44228), Confluence RCE vulnerabilities, and Java deserialization attacks. Legitimate Java applications rarely spawn shell processes. + +Next Steps: +1. Immediately isolate the affected Java application server +2. Identify the specific Java application being exploited (check the Java process arguments) +3. Review application logs for exploitation payloads (JNDI lookups, deserialization gadgets) +4. Check for Log4j vulnerabilities in all Java dependencies +5. Inspect what commands were executed by the spawned child process +6. Look for reverse shells, webshells, or persistence mechanisms +7. Patch the vulnerable application immediately +8. Hunt for the same exploitation pattern across other Java application servers +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml","https://www.lunasec.io/docs/blog/log4j-zero-day/"]', 'exists("log.message") && +regexMatch("log.message", "(?i)java.*child.*(bash|/bin/sh|curl|wget|python|perl|ruby|nc |ncat)") || +(contains("log.message", "java") && + regexMatch("log.message", "(?i)(Runtime\\.getRuntime|ProcessBuilder|exec\\(|/bin/bash|/bin/sh)")) +', '2026-02-09 16:39:08.492019', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (328, 'LD_PRELOAD Library Injection in System Logs', 3, 3, 2, 'Persistence', 'T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking', 'Detects modifications to /etc/ld.so.preload or LD_PRELOAD usage in system logs, indicating dynamic linker hijacking for persistence or credential interception. + +Next Steps: +1. Examine /etc/ld.so.preload for unauthorized shared library entries +2. Analyze the referenced shared library for malicious code +3. Check for LD_PRELOAD in environment variables and shell profiles +4. Identify the user and process that made the modification +5. Remove malicious preload entries and libraries +6. Audit running processes for injected libraries +', '["https://attack.mitre.org/techniques/T1574/006/"]', '(contains("log.message", "ld.so.preload") || contains("log.message", "LD_PRELOAD")) && +(contains("log.message", "modified") || contains("log.message", "write") || + contains("log.message", "export LD_PRELOAD") || contains("log.message", "changed") || + contains("log.message", "opened for writing")) +', '2026-02-09 16:39:08.641507', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (329, 'Linux Hack Tool Execution', 3, 3, 2, 'Execution', 'T1588.002 - Obtain Capabilities: Tool', 'Detects execution of known offensive security and hacking tools on Linux systems. This includes C2 frameworks (Cobalt Strike, Sliver, Havoc, Merlin), post-exploitation tools (LinPEAS, pspy, Chisel), credential attack tools (Hydra, John, Hashcat, Mimikatz), network attack tools (CrackMapExec, Impacket, Responder), and vulnerability scanners (sqlmap, Nikto, ncrack). The presence of these tools on a production system is a strong indicator of compromise. + +Next Steps: +1. Immediately isolate the affected host from the network +2. Identify the user account executing the tool and determine if it is compromised +3. Check how the tool was installed (downloaded, transferred, compiled on host) +4. Review process history and network connections for scope of attack +5. Search for additional compromised hosts using the same tools +6. Collect forensic artifacts from the system +7. Remove the offensive tools and remediate the compromise +8. Reset credentials for any accounts accessed from the compromised host +', '["https://attack.mitre.org/techniques/T1588/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml"]', 'exists("log.message") && +regexMatch("log.message", "(?i)(crackmapexec|cme\\s|evil-winrm|sliver-client|sliver-server|havoc|merlin|msfconsole|msfvenom|meterpreter|pspy|pspy64|linpeas|linpeas\\.sh|winpeas|linenum|linux-exploit-suggester|les\\.sh|linux-smart-enumeration|lse\\.sh|hydra|john |johntheripper|hashcat|ncrack|medusa|patator|sqlmap|sqlninja|nikto|gobuster|feroxbuster|dirbuster|dirb |ffuf |wfuzz|nuclei |subfinder|amass |masscan|nmap\\s|responder|impacket|secretsdump|chisel|ligolo|bloodhound-python|sharphound|rubeus|mimikatz|lazagne|enum4linux|smbmap|cracklord|thc-hydra)") +', '2026-02-09 16:39:08.781918', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (330, 'Linux Log File Clearing', 1, 3, 2, 'Defense Evasion', 'T1070.002 - Indicator Removal: Clear Linux or Mac System Logs', 'Detects commands used to delete or overwrite Linux log files in /var/log. Attackers frequently clear logs to cover their tracks after compromising a system. Commands like rm, shred, unlink, and truncation of log files are indicators of anti-forensic activity. + +Next Steps: +1. Identify the user account and process that deleted the log files +2. Check for any remaining log entries before the clearing event +3. Review remote syslog backups or SIEM data for the deleted timeframe +4. Investigate what the attacker was trying to hide +5. Look for other anti-forensic activities (history deletion, timestamp manipulation) +6. Check for active compromise indicators on the system +7. Preserve all remaining forensic artifacts immediately +8. Consider the system compromised and investigate lateral movement +', '["https://attack.mitre.org/techniques/T1070/002/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(rm|shred|unlink)\\s+(-rf?\\s+)?/var/log") || + regexMatch("log.message", "(?i)>\\s*/var/log/(syslog|auth\\.log|messages|secure|wtmp|btmp|lastlog)") || + regexMatch("log.message", "(?i)truncate\\s+(-s\\s+0\\s+)?/var/log/") || + regexMatch("log.message", "(?i)cat\\s+/dev/null\\s*>\\s*/var/log/")) +', '2026-02-09 16:39:08.926981', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (331, 'Outbound Connection to Known Malware C2 Ports', 3, 2, 2, 'Command and Control', 'T1571 - Non-Standard Port', 'Detects outbound network connections to ports commonly used by malware for command and control callbacks. Ports like 4444 (Metasploit default), 5555 (Android Debug Bridge abuse), 6789 (Cobalt Strike), 8531 (fake WSUS), and others are well-known C2 callback ports. While some may have legitimate uses, outbound connections to these ports from servers warrant investigation. + +Next Steps: +1. Identify the process making the outbound connection +2. Determine the destination IP address and verify it is not a known legitimate service +3. Check the destination IP against threat intelligence feeds +4. Capture network traffic to analyze the C2 protocol +5. Investigate the process tree and how the connecting process was started +6. Block the destination IP at the firewall +7. Search for the same destination IP across all monitored systems +8. Check for persistence mechanisms associated with the C2 agent +', '["https://attack.mitre.org/techniques/T1571/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(connect|established|connection).*\\b(4444|4445|5555|6666|6667|6789|7443|8531|9001|9090|1337|31337|12345)\\b") || + regexMatch("log.message", "(?i)outbound.*(4444|5555|6789|8531|9001)") || + regexMatch("log.message", "(?i)destination.*port.*(4444|4445|5555|6666|6789|8531)")) +', '2026-02-09 16:39:09.066872', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (332, 'Named Pipe Creation in Suspicious Location', 2, 2, 1, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects creation of named pipes (FIFOs) in /tmp or /dev/shm using mkfifo. Named pipes in temporary directories are commonly used by attackers and malware for inter-process communication during exploitation. This technique was notably used in the Barracuda ESG exploitation campaign. + +Next Steps: +1. Identify the named pipe file and examine its location +2. Determine which processes are reading from and writing to the pipe +3. Check for associated reverse shell or data exfiltration activity +4. Review the parent process that executed mkfifo +5. Look for other indicators of web application exploitation +6. Remove the named pipe and investigate the full attack chain +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml","https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"]', 'contains("log.message", "mkfifo") && +contains("log.message", ["/tmp/", "/dev/shm/", "/var/tmp/"]) +', '2026-02-09 16:39:09.211835', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (333, 'Netcat Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059 - Command and Scripting Interpreter', 'Detects netcat (nc/ncat/netcat) being used with -c or -e flags to spawn a shell, which is the most common method of establishing a reverse shell on Linux systems. This is almost never used legitimately and is a strong indicator of active compromise. + +Next Steps: +1. Immediately isolate the affected host from the network +2. Identify the user and parent process that executed netcat +3. Determine the destination IP and port of the reverse shell connection +4. Check for initial access vectors (webshell, exploited service, stolen credentials) +5. Search for persistence mechanisms installed by the attacker +6. Review network connections from the host for additional C2 channels +7. Hunt for the same destination IP across all monitored systems +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"]', 'exists("log.message") && +regexMatch("log.message", "(?i)(nc|ncat|netcat)\\s+.*-(e|c)\\s+(/bin/)?(ba)?sh") +', '2026-02-09 16:39:09.356771', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (334, 'Ngrok Tunnel Communication Detected', 3, 2, 2, 'Command and Control', 'T1572 - Protocol Tunneling', 'Detects connections to ngrok tunnel infrastructure (tunnel.*.ngrok.com, *.ngrok.io, *.ngrok-free.app). Ngrok is a legitimate tunneling service that is frequently abused by attackers to establish reverse tunnels from compromised systems, bypassing firewalls and NAT. Its use on production servers is almost always unauthorized and indicates either C2 communication, data exfiltration, or unauthorized remote access. + +Next Steps: +1. Identify the process establishing the ngrok tunnel +2. Determine what service or port is being exposed through the tunnel +3. Check if ngrok is authorized for use in the environment +4. Terminate the ngrok process and remove the binary +5. Block ngrok domains at the DNS/proxy level +6. Investigate what the attacker was accessing through the tunnel +7. Check for the ngrok configuration file for tunnel details +8. Hunt for ngrok usage on other systems +', '["https://attack.mitre.org/techniques/T1572/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)tunnel\\..*\\.ngrok\\.com") || + contains("log.message", ".ngrok.io") || + contains("log.message", ".ngrok-free.app") || + contains("log.message", "ngrok.com/api") || + regexMatch("log.message", "(?i)ngrok\\s+(http|tcp|tls|start)")) +', '2026-02-09 16:39:09.486706', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (669, 'Windows: Microsoft Build Engine Started an Unusual Process', 3, 3, 2, 'Defense Evasion', 'T1027 - Obfuscated Files or Information', 'An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1027/"]', 'regexMatch("log.winlogEventDataProcessName", "(csc.exe|iexplore.exe|powershell.exe)") && regexMatch("log.winlogEventDataParentProcessName", "MSBuild.exe")', '2026-02-09 16:57:25.017103', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (335, 'OMIGOD SCX Agent Exploitation Detected', 3, 3, 3, 'Exploitation', 'T1068 - Exploitation for Privilege Escalation', 'Detects exploitation of the OMIGOD vulnerability (CVE-2021-38647) in the Azure Open Management Infrastructure (OMI) SCX agent. This critical vulnerability allows unauthenticated remote code execution as root via the SCXcore RunAsProvider ExecuteShellCommand method. + +Next Steps: +1. Immediately patch the OMI agent on the affected system +2. Check for unauthorized processes spawned from the SCX agent path +3. Review commands executed through the OMI agent +4. Examine network connections to the OMI listener port (5985/5986) +5. Check for persistence mechanisms installed by the attacker +6. Audit all Azure VMs running the OMI agent for this vulnerability +', '["https://attack.mitre.org/techniques/T1068/","https://attack.mitre.org/techniques/T1190/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml","https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure"]', '( + contains("log.message", "/var/opt/microsoft/scx") || + contains("log.message", "/opt/omi/") || + contains("log.message", "SCXcore") +) && +( + contains("log.message", "ExecuteShellCommand") || + contains("log.message", "RunAsProvider") || + (contains("log.message", "omicli") && contains("log.message", "exec")) +) +', '2026-02-09 16:39:09.627198', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (336, 'Perl Reverse Shell Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Perl-based reverse shell execution patterns using fdopen with Socket library. This is a well-known post-exploitation technique where attackers use Perl''s built-in networking capabilities to establish a reverse shell connection back to their command and control server. + +Next Steps: +1. Immediately isolate the affected system from the network +2. Identify the destination IP and port of the reverse shell connection +3. Determine how the attacker gained initial access to execute Perl +4. Check for other compromised systems connecting to the same C2 address +5. Review process tree to identify the parent process that spawned Perl +6. Examine the system for persistence mechanisms and lateral movement +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml"]', 'contains("log.message", "perl") && +( + (contains("log.message", "fdopen") && contains("log.message", "Socket")) || + (contains("log.message", "socket") && contains("log.message", "connect") && contains("log.message", "open") && contains("log.message", "STDIN")) +) +', '2026-02-09 16:39:09.767845', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (337, 'PHP Reverse Shell Detected', 3, 3, 3, 'Command and Control', 'T1059 - Command and Scripting Interpreter', 'Detects PHP being used to establish a reverse shell via fsockopen or similar network functions. This is commonly seen on compromised web servers where an attacker leverages PHP''s built-in socket functions to create a reverse connection. The presence of php -r with fsockopen in command lines is a strong indicator of active exploitation. + +Next Steps: +1. Immediately isolate the affected web server from the network +2. Identify the webshell or vulnerable application that triggered the PHP reverse shell +3. Check for uploaded PHP files in web-accessible directories +4. Review web server access logs for the initial exploitation request +5. Determine the destination C2 IP and block it at the firewall +6. Audit all PHP files on the server for additional webshells +7. Patch the vulnerable application and restore from clean backup +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml"]', 'exists("log.message") && +regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") +', '2026-02-09 16:39:09.907293', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (338, 'Shell Script Persistence via profile.d', 2, 3, 2, 'Persistence', 'T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification', 'Detects creation or modification of shell scripts in /etc/profile.d/. Scripts in this directory are executed by every user at login, making it a powerful persistence mechanism. Attackers drop malicious scripts here to maintain persistent access and execute commands in the context of every user session. + +Next Steps: +1. Identify the new or modified script in /etc/profile.d/ and examine its contents +2. Check if the script was created by a legitimate package installation or administrator +3. Compare the script against known-good baselines from package manager +4. Review the user and process that created or modified the script +5. Remove unauthorized scripts from /etc/profile.d/ +6. Check for other persistence mechanisms on the same system +', '["https://attack.mitre.org/techniques/T1546/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"]', 'contains("log.message", "/etc/profile.d/") && +( + contains("log.message", ["created", "modified", "written", "installed"]) || + (contains("log.message", [" cp ", " mv ", "tee ", "cat "]) && contains("log.message", "/etc/profile.d/")) || + (contains("log.message", "chmod") && contains("log.message", "/etc/profile.d/")) +) +', '2026-02-09 16:39:10.056562', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (339, 'Python PTY Shell Spawn - Interactive Shell Upgrade', 3, 3, 2, 'Execution', 'T1059.006 - Command and Scripting Interpreter: Python', 'Detects the use of Python''s pty module to spawn an interactive TTY shell. This is a standard post-exploitation technique where an attacker upgrades a basic reverse shell to a fully interactive terminal. The command "python -c ''import pty; pty.spawn(\"/bin/bash\")''" is taught in every penetration testing course and is a strong indicator of active hands-on-keyboard exploitation. + +Next Steps: +1. The system is actively being exploited - immediately isolate the host +2. Identify the parent process (likely a reverse shell or webshell) +3. Check for the initial access vector that gave the attacker shell access +4. Review all commands executed in the spawned interactive shell +5. Look for privilege escalation attempts following the shell upgrade +6. Check for lateral movement from this host +7. Collect memory dump and disk forensic artifacts +', '["https://attack.mitre.org/techniques/T1059/006/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*import\\s+pty.*pty\\.spawn") || + contains("log.message", "import pty;pty.spawn") || + contains("log.message", "import pty; pty.spawn")) +', '2026-02-09 16:39:10.197334', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (442, 'System Linux: Namespace Manipulation Using Unshare', 3, 3, 2, 'Privilege Escalation', 'T1543 - Create or Modify System Process', 'Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1543/"]', 'contains("log.message", "unshare") && !contains("log.message", "/usr/bin/snap") && !regexMatch("log.message", "(\\/usr\\/bin\\/udevadm|\\/lib\\/systemd\\/systemd-udevd|\\/usr\\/bin\\/unshare)")', '2026-02-09 16:51:30.486997', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (341, 'Comprehensive Reverse Shell Detection', 3, 3, 3, 'Command and Control', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects multiple reverse shell patterns in Linux system logs including bash, netcat, python, perl, ruby, socat, awk, xterm, and telnet variants. Reverse shells are one of the most common post-exploitation techniques used by attackers to establish interactive command and control channels from a compromised host back to their infrastructure. + +Next Steps: +1. Immediately isolate the affected host from the network +2. Identify the source process and user that spawned the reverse shell +3. Determine the destination IP and port of the outbound connection +4. Check for webshell presence or initial access vector that led to the reverse shell +5. Review all processes and network connections on the compromised host +6. Search for lateral movement from this host to other systems +7. Collect forensic artifacts (memory dump, disk image) before remediation +8. Block the C2 IP at the firewall and hunt for it across all systems +', '["https://attack.mitre.org/techniques/T1059/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml","https://www.revshells.com/"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s*/dev/tcp/") || + regexMatch("log.message", "(?i)exec\\s+\\d+<>/dev/tcp/") || + regexMatch("log.message", "(?i)(nc|ncat|netcat)\\s+.*\\s+-(e|c)\\s+(/bin/)?(ba)?sh") || + regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*pty.*spawn") || + regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*connect.*subprocess") || + regexMatch("log.message", "(?i)perl\\s+-e\\s+.*socket.*INET.*exec") || + regexMatch("log.message", "(?i)perl\\s+-MIO\\s+-e") || + regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") || + regexMatch("log.message", "(?i)ruby\\s+-rsocket\\s+-e") || + regexMatch("log.message", "(?i)ruby\\s+-e\\s+.*TCPSocket") || + regexMatch("log.message", "(?i)socat\\s+.*exec.*tcp") || + regexMatch("log.message", "(?i)socat\\s+.*tcp.*exec") || + regexMatch("log.message", "(?i)awk\\s+.*\\/inet\\/tcp\\/") || + regexMatch("log.message", "(?i)xterm\\s+-display\\s+\\d+") || + regexMatch("log.message", "(?i)telnet\\s+.*\\|\\s*/bin/(ba)?sh") || + regexMatch("log.message", "(?i)mkfifo\\s+/tmp/.*&&.*nc\\s+") || + regexMatch("log.message", "(?i)mknod\\s+/tmp/.*&&.*nc\\s+")) +', '2026-02-09 16:39:10.472050', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (342, 'Reverse Shell Patterns in System Logs', 3, 3, 3, 'Execution', 'T1059.004 - Command and Scripting Interpreter: Unix Shell', 'Detects common reverse shell patterns in system logs including bash TCP redirects, netcat shells, python socket connections, and other common reverse shell one-liners. + +Next Steps: +1. Immediately isolate the affected system +2. Identify the destination IP and port of the reverse shell +3. Determine the initial access vector +4. Check for data exfiltration or lateral movement +5. Block the C2 IP at the network perimeter +6. Perform full incident response on the host +', '["https://attack.mitre.org/techniques/T1059/004/"]', 'regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s+/dev/tcp/") || +regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*connect") || +regexMatch("log.message", "(?i)nc\\s+(-e|--exec)\\s+/bin/(ba)?sh") || +regexMatch("log.message", "(?i)socat\\s+.*exec.*tcp") || +regexMatch("log.message", "(?i)perl\\s+-e\\s+.*socket.*INET") || +regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") || +regexMatch("log.message", "(?i)ruby\\s+-rsocket") || +regexMatch("log.message", "(?i)mkfifo\\s+/tmp/.*\\|.*nc\\s+") +', '2026-02-09 16:39:10.606388', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (343, 'Root Certificate Installation Detected', 2, 3, 1, 'Defense Evasion', 'T1553.004 - Subvert Trust Controls: Install Root Certificate', 'Detects the installation of root certificates on Linux systems using update-ca-certificates or update-ca-trust. Attackers install rogue root certificates to enable TLS interception (man-in-the-middle attacks), bypass certificate pinning, or establish trust for malicious code signing. + +Next Steps: +1. Identify which certificate was installed and its issuer +2. Verify if the certificate installation was authorized +3. Check /usr/local/share/ca-certificates/ and /etc/pki/ca-trust/source/ for new certificates +4. Examine the process and user that triggered the certificate installation +5. Look for signs of TLS interception or MITM activity +6. Remove unauthorized certificates and update the trust store +', '["https://attack.mitre.org/techniques/T1553/004/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml"]', 'contains("log.message", ["update-ca-certificates", "update-ca-trust"]) && +!contains("log.message", ["apt", "yum", "dnf", "dpkg"]) +', '2026-02-09 16:39:10.757972', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (344, 'Security Tools Disabled or Stopped', 2, 3, 3, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects commands used to stop, disable, or remove security tools on Linux systems. This includes firewalls (iptables, firewalld, ufw, nftables), EDR agents (falcon-sensor, cbdaemon, mdatp), SELinux/AppArmor enforcement, and other security services. Attackers disable security tools early in the kill chain to avoid detection during subsequent exploitation phases. + +Next Steps: +1. Immediately verify if the security tool disabling was authorized +2. Check if the affected security tools are currently running +3. Re-enable any disabled security tools immediately +4. Investigate the user account and process that issued the command +5. Look for subsequent malicious activity that the attacker was trying to hide +6. Check for persistence mechanisms that disable security tools at boot +7. Verify SELinux/AppArmor enforcement status +8. Review other hosts for similar security tool disabling patterns +', '["https://attack.mitre.org/techniques/T1562/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)systemctl\\s+(stop|disable|mask)\\s+(iptables|firewalld|ufw|nftables|falcon-sensor|cbdaemon|cbsensor|mdatp|clamd|ossec|wazuh|auditd|rsyslog|syslog-ng|apparmor)") || + regexMatch("log.message", "(?i)service\\s+(iptables|firewalld|ufw|falcon-sensor|cbdaemon|auditd|rsyslog|apparmor)\\s+stop") || + contains("log.message", "setenforce 0") || + contains("log.message", "setenforce Permissive") || + regexMatch("log.message", "(?i)aa-teardown") || + regexMatch("log.message", "(?i)apparmor_parser\\s+-R") || + regexMatch("log.message", "(?i)(apt|yum|dnf|rpm)\\s+.*(remove|erase)\\s+(iptables|firewalld|falcon-sensor|clamav|ossec|wazuh|auditd)")) +', '2026-02-09 16:39:10.902131', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (345, 'Ruby Reverse Shell Detected', 3, 3, 2, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects Ruby-based reverse shell execution patterns using TCPSocket. Attackers use Ruby''s TCPSocket class to establish a reverse shell connection, redirecting stdin/stdout/stderr to a remote socket for interactive command execution. + +Next Steps: +1. Immediately isolate the affected system from the network +2. Identify the destination IP and port of the reverse shell connection +3. Determine how the attacker gained initial access to execute Ruby +4. Check for other compromised systems connecting to the same C2 address +5. Review process tree to identify the parent process that spawned Ruby +6. Examine the system for persistence mechanisms and lateral movement +', '["https://attack.mitre.org/techniques/T1059/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml"]', 'contains("log.message", "ruby") && +( + contains("log.message", "TCPSocket") || + (contains("log.message", "socket") && contains("log.message", "spawn")) +) && +contains("log.message", ["/bin/sh", "/bin/bash", "exec"]) +', '2026-02-09 16:39:11.063049', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (443, 'System Linux: A user has been added to the administrators group', 3, 3, 2, 'Privilege Escalation', 'T1484 - Domain Policy Modification', 'Detects when a user has been added to the administrators group (sudo) on a Linux system.', '["https://attack.mitre.org/tactics/TA0004","https://attack.mitre.org/techniques/T1484/"]', 'regexMatch("log.message", "(((adduser|useradd|usermod)(.+)([Aa]dded user|new user|add)(.+)to(.+)group)(.+)sudo)") && contains("log.message", "usermod -aG sudo")', '2026-02-09 16:51:30.647303', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (346, 'Suspicious Access to Sensitive System Files', 3, 3, 2, 'Credential Access', 'T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow', 'Detects suspicious access to critical system files including /etc/passwd, /etc/shadow, /etc/sudoers, /etc/crontab, and sensitive directories like /boot, /bin, /sbin. While system administrators may legitimately access these files, unusual access patterns can indicate credential theft, privilege escalation, or system tampering. + +Next Steps: +1. Verify the user account accessing the sensitive files and their authorization +2. Check the specific command used (cat, vi, nano, cp, scp) +3. Determine if this aligns with legitimate administrative activity +4. Review the access context - was it from an interactive session or automated process? +5. Check for concurrent suspicious activities (reverse shells, lateral movement) +6. If unauthorized, immediately reset affected credentials +7. Audit file permissions on sensitive files +', '["https://attack.mitre.org/techniques/T1003/008/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(cat|less|more|head|tail|vi|vim|nano|emacs|sed|awk)\\s+/etc/(shadow|gshadow)") || + regexMatch("log.message", "(?i)(vi|vim|nano|emacs|sed)\\s+/etc/(passwd|sudoers|crontab)") || + regexMatch("log.message", "(?i)(vi|vim|nano|emacs|sed)\\s+/etc/ssh/sshd_config") || + regexMatch("log.message", "(?i)(cp|scp|rsync)\\s+/etc/(shadow|gshadow|passwd)")) +', '2026-02-09 16:39:11.211998', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (347, 'Setcap Privilege Escalation via cap_setuid', 3, 3, 2, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Detects the use of setcap to grant cap_setuid or other dangerous capabilities to binaries. Linux capabilities allow splitting root privileges into distinct units. The cap_setuid capability allows a process to change its UID, effectively gaining root access. Attackers use setcap to create persistent privilege escalation backdoors that are harder to detect than traditional SUID bits. + +Next Steps: +1. Identify the binary that was granted dangerous capabilities +2. Determine if this is a legitimate administrative action +3. Check the binary''s integrity against package manager records +4. Remove unauthorized capabilities: setcap -r /path/to/binary +5. Search for other binaries with dangerous capabilities: getcap -r / 2>/dev/null +6. Investigate how the attacker gained the privileges needed to run setcap +7. Check if the capability-enhanced binary has been used for privilege escalation +', '["https://attack.mitre.org/techniques/T1548/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml","https://gtfobins.github.io/"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)setcap\\s+.*cap_setuid") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_setgid") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_sys_admin") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_sys_ptrace") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_dac_override") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_net_raw") || + regexMatch("log.message", "(?i)setcap\\s+.*cap_net_admin")) +', '2026-02-09 16:39:11.356679', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (348, 'Shellshock Exploitation Attempt Detected', 3, 3, 3, 'Exploitation', 'T1505.003 - Server Software Component: Web Shell', 'Detects the Shellshock (CVE-2014-6271) exploitation pattern in system logs. The characteristic () { :; }; sequence in environment variables exploits a bash vulnerability that allows arbitrary command execution. Despite being discovered in 2014, Shellshock is still actively exploited against unpatched systems. + +Next Steps: +1. Immediately patch bash on the affected system if vulnerable +2. Identify the attack vector (CGI script, DHCP client, SSH ForceCommand) +3. Determine if the exploitation was successful and what commands were executed +4. Check for follow-up malware installation or persistence +5. Review network logs for the source of the attack +6. Scan all systems for the Shellshock vulnerability +', '["https://attack.mitre.org/techniques/T1505/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_shellshock.yml","https://nvd.nist.gov/vuln/detail/CVE-2014-6271"]', 'regexMatch("log.message", "\\(\\)\\s*\\{\\s*:;\\s*\\};") +', '2026-02-09 16:39:11.502542', true, false, 'origin', null, '[]', '["adversary.host","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (349, 'SSH Authorized Key Injection via System Logs', 3, 3, 1, 'Persistence', 'T1098.004 - Account Manipulation: SSH Authorized Keys', 'Detects unauthorized modifications to SSH authorized_keys files as seen in system logs, indicating potential persistence via injected SSH public keys. + +Next Steps: +1. Review the authorized_keys file for unauthorized keys +2. Identify the user and process that made the change +3. Check SSH login logs for connections using the new key +4. Remove unauthorized keys and rotate credentials +5. Monitor for subsequent connections from unknown sources +', '["https://attack.mitre.org/techniques/T1098/004/"]', 'contains("log.message", "authorized_keys") && +(contains("log.message", "modified") || contains("log.message", "write") || + contains("log.message", "opened for writing") || contains("log.message", "changed")) +', '2026-02-09 16:39:11.663111', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"authorized_keys"}],"or":null,"within":"now-1h","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (350, 'Sudo Privilege Escalation Attempts', 3, 3, 2, 'Privilege Escalation', 'T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching', 'Detects unauthorized sudo usage attempts and privilege escalation through sudo command execution. This rule identifies failed sudo attempts including users not in sudoers file, authentication failures, and command restrictions. + +Next Steps: +1. Verify the legitimacy of the user attempting sudo access +2. Review the specific command that was attempted +3. Check if this is part of a broader privilege escalation campaign +4. Examine system logs for additional suspicious activity from this user/host +5. Consider implementing additional sudo restrictions if unauthorized access attempts persist +6. Correlate with other authentication events from the same user or host +', '["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html","https://attack.mitre.org/techniques/T1548/003/"]', 'contains("log.message", "sudo") && (contains("log.message", "NOT in sudoers") || contains("log.message", "authentication failure") || contains("log.message", "command not allowed")) && exists("origin.host")', '2026-02-09 16:39:11.812675', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (696, 'Windows: PowerShell PSReflect Script', 2, 3, 1, 'Execution', 'T1059 - Command and Scripting Interpreter', 'Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.', '["https://attack.mitre.org/tactics/TA0002/","https://attack.mitre.org/techniques/T1059/"]', 'regexMatch("log.message", "(New-InMemoryModule|Add-Win32Type|psenum|DefineDynamicAssembly|DefineDynamicModule|Reflection.TypeAttributes|Reflection.Emit.OpCodes|Reflection.Emit.CustomAttributeBuilder|Runtime.InteropServices.DllImportAttribute)")', '2026-02-09 16:57:29.062478', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (351, 'SUID/SGID Bit Set on Binary - Potential Backdoor', 3, 3, 2, 'Privilege Escalation', 'T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid', 'Detects the use of chmod to set SUID (u+s) or SGID (g+s) bits on binaries, especially after a chown to root. Attackers use SUID/SGID bits to create backdoors that allow any user to execute a binary with root privileges. This is a well-known persistence and privilege escalation technique. + +Next Steps: +1. Identify the binary that had the SUID/SGID bit set +2. Determine if this is a known system binary or a dropped malicious file +3. Check the binary''s contents and compare against package manager originals +4. Review who set the SUID/SGID bit and their authorization level +5. Remove the SUID/SGID bit from unauthorized binaries (chmod u-s g-s) +6. Search for other SUID/SGID binaries that may have been modified: find / -perm -4000 +7. Investigate how the attacker gained root access to set the bit +', '["https://attack.mitre.org/techniques/T1548/001/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)chmod\\s+.*[ug]\\+s\\s+") || + regexMatch("log.message", "(?i)chmod\\s+[46][0-7]{3}\\s+") || + regexMatch("log.message", "(?i)chmod\\s+.*4755\\s+") || + regexMatch("log.message", "(?i)chmod\\s+.*2755\\s+") || + regexMatch("log.message", "(?i)chmod\\s+.*6755\\s+")) +', '2026-02-09 16:39:11.967086', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (352, 'Suspicious Package Installation Detected', 2, 2, 1, 'Execution', 'T1072 - Software Deployment Tools', 'Detects the installation of offensive security tools or suspicious packages via apt, yum, or dnf. Packages like nmap, netcat, wireshark, proxychains, socat, and similar tools are commonly installed by attackers during post-exploitation for reconnaissance, pivoting, and lateral movement. + +Next Steps: +1. Verify if the package installation was authorized by system administrators +2. Identify the user who installed the package and their access context +3. Check for other reconnaissance or exploitation activity from the same user +4. Review if the tools were actually used after installation +5. Remove unauthorized tools and restrict package installation privileges +6. Investigate how the attacker obtained privileges to install packages +', '["https://attack.mitre.org/techniques/T1072/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml"]', 'contains("log.message", ["apt install", "apt-get install", "yum install", "dnf install"]) && +contains("log.message", ["nmap", "netcat", "ncat", "wireshark", "tshark", "proxychains", "socat", "masscan", "hydra", "john", "hashcat", "aircrack", "ettercap", "responder", "mimikatz", "crackmapexec", "enum4linux"]) +', '2026-02-09 16:39:12.107949', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (353, 'SSH Brute Force Attempts', 3, 3, 2, 'Credential Access', 'T1110.001 - Brute Force: Password Guessing', 'Detects multiple failed SSH authentication attempts from the same source IP address, indicating a potential brute force attack against SSH services. This rule identifies patterns where an attacker attempts to guess passwords by making repeated login attempts. + +Next Steps: +1. Immediately block the attacking IP address at the firewall level +2. Review SSH logs for the timeframe to identify targeted usernames +3. Check if any successful logins occurred from the same IP after failed attempts +4. Verify SSH configuration follows security best practices (disable root login, use key-based authentication) +5. Consider implementing fail2ban or similar intrusion prevention tools +6. Monitor for lateral movement if any accounts were compromised +7. Review other systems for similar brute force attempts from the same IP +8. Consider adding the IP to threat intelligence feeds if confirmed malicious +', '["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html","https://attack.mitre.org/techniques/T1110/001/"]', 'contains("log.message", "Failed password") && contains("log.message", "ssh") && exists("origin.ip")', '2026-02-09 16:39:12.238043', true, false, 'origin', null, '[{"indexPattern":"v11-log-linux-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.message","operator":"filter_match","value":"Failed password"}],"or":null,"within":"now-5m","count":10}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (354, 'Malicious Systemd Timer Creation', 2, 3, 2, 'Persistence', 'T1053.006 - Scheduled Task/Job: Systemd Timers', 'Detects creation or enablement of systemd timer units through system logs, which attackers use for persistent scheduled execution of malicious payloads. + +Next Steps: +1. Review the timer unit and associated service unit file contents +2. Check the ExecStart directive for suspicious binaries or scripts +3. Verify the timer was created by an authorized administrator +4. Compare against baseline of known legitimate timers +5. If unauthorized, disable the timer and investigate +', '["https://attack.mitre.org/techniques/T1053/006/"]', '(contains("log.message", "systemd") || contains("log.message", "systemctl")) && +contains("log.message", ".timer") && +(contains("log.message", "enabled") || contains("log.message", "Created symlink")) && +!contains("log.message", ["logrotate", "man-db", "fstrim", "apt-daily", "snapd", "certbot", "unattended-upgrades"]) +', '2026-02-09 16:39:12.381816', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (355, 'Timestomping of Service Files Detected', 1, 3, 1, 'Defense Evasion', 'T1070.006 - Indicator Removal: Timestomp', 'Detects the use of touch -t to modify timestamps on .service files. Attackers use timestomping to make malicious systemd service files appear as if they were created during system installation, hiding persistence mechanisms from forensic analysis. + +Next Steps: +1. Identify the specific .service files that were timestomped +2. Examine the contents of those service files for malicious commands +3. Compare file timestamps with package manager records (dpkg/rpm) +4. Check if the service files reference suspicious executables +5. Review systemd unit files for unauthorized additions +6. Verify the integrity of all service files against known-good baselines +', '["https://attack.mitre.org/techniques/T1070/006/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml"]', 'contains("log.message", "touch") && +contains("log.message", "-t") && +contains("log.message", ".service") +', '2026-02-09 16:39:12.521919', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (356, 'Triple Cross eBPF Rootkit Installation Detected', 3, 3, 3, 'Malware Detection', 'T1014 - Rootkit', 'Detects installation of the Triple Cross eBPF rootkit. This rootkit uses the Linux Traffic Control (tc) subsystem with qdisc and filter commands to install eBPF programs that can hide processes, files, and network connections while providing a backdoor. The characteristic pattern is sudo tc with qdisc/filter subcommands. + +Next Steps: +1. Immediately isolate the affected system from the network +2. Check for eBPF programs loaded in the kernel (bpftool prog list) +3. Examine tc qdisc and filter configurations for malicious entries +4. Review loaded kernel modules and eBPF programs +5. Check for hidden processes, files, and network connections +6. Consider reimaging the system as rootkit removal is unreliable +', '["https://attack.mitre.org/techniques/T1014/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml","https://github.com/h3xduck/TripleCross"]', 'contains("log.message", "sudo") && +contains("log.message", " tc ") && +(contains("log.message", "qdisc") || contains("log.message", "filter")) +', '2026-02-09 16:39:12.666738', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (357, 'Webshell Activity - Web Server Spawning Suspicious Commands', 3, 3, 3, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects web server processes (httpd, nginx, apache2, tomcat, java) spawning reconnaissance or system commands such as whoami, ifconfig, uname, id, cat, crontab, wget, curl. This pattern strongly indicates an active webshell being used by an attacker to execute commands on the compromised server. + +Next Steps: +1. Immediately isolate the web server from the network +2. Identify the specific webshell file by reviewing web server access logs around the alert time +3. Search for recently created or modified files in web-accessible directories +4. Check for uploaded files with PHP, JSP, ASP, or CGI extensions +5. Review the commands executed through the webshell to assess scope of compromise +6. Look for lateral movement or data exfiltration from this host +7. Patch the vulnerability that allowed the webshell upload +8. Restore web application files from a clean, verified backup +', '["https://attack.mitre.org/techniques/T1505/003/","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml"]', 'exists("log.message") && +(regexMatch("log.message", "(?i)(httpd|nginx|apache2|tomcat|catalina|java).*child process.*(whoami|ifconfig|uname|id |cat |crontab|wget |curl )") || + regexMatch("log.message", "(?i)(httpd|nginx|apache2|tomcat|catalina)\\[\\d+\\].*exec.*(whoami|ifconfig|uname|/bin/id|/bin/cat|/bin/sh|/bin/bash|wget|curl)") || + (contains("log.message", ["httpd", "nginx", "apache2", "tomcat"]) && + contains("log.message", ["whoami", "ifconfig", "uname -a", "/etc/passwd", "id;", "cat /etc"]))) +', '2026-02-09 16:39:12.822317', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (358, 'Kafka Connect Malicious Connector Detection', 3, 3, 2, 'Code Execution', 'T1059 - Command and Scripting Interpreter', 'Detects deployment of potentially malicious Kafka Connect connectors. Attackers can deploy connectors to exfiltrate data to external systems, inject malicious data, or execute code through custom connector plugins. + +Next Steps: +1. Review the connector configuration and plugin class +2. Verify the connector deployment was authorized +3. Check the connector source/sink endpoints for legitimacy +4. Remove unauthorized connectors immediately +5. Restrict Kafka Connect REST API access +6. Implement connector class allowlisting +', '["https://kafka.apache.org/documentation/#connect","https://attack.mitre.org/techniques/T1059/"]', 'exists("log.message") && +( + (contains("log.message", "connector") && contains("log.message", "created")) || + (contains("log.message", "connector") && contains("log.message", "Starting")) || + contains("log.message", "ConnectorConfig") || + (contains("log.message", "PUT /connectors/") && contains("log.message", "config")) || + (contains("log.message", "POST /connectors") && !contains("log.message", "status")) || + (contains("log.message", "connector.class") && ( + contains("log.message", "FileStreamSink") || + contains("log.message", "FileStreamSource") || + contains("log.message", "S3Sink") || + contains("log.message", "HttpSink") + )) +) +', '2026-02-09 16:39:12.962654', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (359, 'Kafka Unauthorized Producer Spoofing Detection', 1, 3, 2, 'Data Manipulation', 'T1565.001 - Data Manipulation: Stored Data Manipulation', 'Detects unauthorized message production to Kafka topics that could indicate data injection or message spoofing. Monitors for producer authorization failures and unusual producer registrations. + +Next Steps: +1. Identify the unauthorized producer client and source host +2. Review the messages produced to verify data integrity +3. Check Kafka ACLs for producer permissions +4. Block unauthorized producers via ACL configuration +5. Implement idempotent producer settings for critical topics +6. Review topic data for injected or manipulated messages +', '["https://kafka.apache.org/documentation/#producerconfigs","https://attack.mitre.org/techniques/T1565/001/"]', 'exists("log.message") && +( + (contains("log.message", "TOPIC_AUTHORIZATION_FAILED") && contains("log.message", "Produce")) || + (contains("log.message", "not authorized to") && contains("log.message", "Write")) || + (equals("log.severity", "ERROR") && contains("log.message", "ProduceRequest") && contains("log.message", "authorization")) || + (contains("log.message", "transactional.id") && contains("log.message", "authorization")) +) +', '2026-02-09 16:39:13.092622', true, false, 'origin', null, '[{"indexPattern":"v11-log-kafka-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"TOPIC_AUTHORIZATION_FAILED OR not authorized OR ProduceRequest"}],"or":null,"within":"now-10m","count":5}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (360, 'Kafka Topic Deletion Detection', 1, 3, 3, 'Data Destruction', 'T1485 - Data Destruction', 'Detects Kafka topic deletion operations that could result in message data loss. Topic deletion is a destructive operation that permanently removes all messages and partitions. + +Next Steps: +1. Verify if the topic deletion was authorized +2. Identify the user or service that initiated the deletion +3. Check if any dependent applications were affected +4. Review if message data can be recovered from other consumers +5. Restrict topic deletion via Kafka ACLs +6. Implement topic deletion protection for critical topics +', '["https://kafka.apache.org/documentation/#topicconfigs","https://attack.mitre.org/techniques/T1485/"]', 'exists("log.message") && +( + contains("log.message", "Topic deletion") || + (contains("log.message", "DeleteTopics") && !contains("log.message", "TOPIC_AUTHORIZATION_FAILED")) || + contains("log.message", "Deleting topic") || + (contains("log.message", "topic") && contains("log.message", "marked for deletion")) || + contains("log.message", "TopicDeletion") +) +', '2026-02-09 16:39:13.237029', true, false, 'origin', null, '[{"indexPattern":"v11-log-kafka-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (361, 'NATS Unauthorized Route Poisoning Detection', 2, 3, 3, 'Network Manipulation', 'T1557 - Adversary-in-the-Middle', 'Detects unauthorized route advertisements and cluster join attempts in NATS. Attackers inject rogue routes to intercept messages, disrupt cluster operations, or perform man-in-the-middle attacks. + +Next Steps: +1. Verify the connecting route/node is an authorized cluster member +2. Review the cluster route configuration +3. Check for any unauthorized servers in the cluster +4. Disconnect unauthorized routes immediately +5. Implement route authentication and TLS verification +6. Monitor cluster topology for unexpected changes +', '["https://docs.nats.io/running-a-nats-service/configuration/clustering","https://attack.mitre.org/techniques/T1557/"]', 'exists("log.message") && +( + (contains("log.message", "route") && contains("log.message", "added")) || + (contains("log.message", "route") && contains("log.message", "connected")) || + (contains("log.message", "cluster") && contains("log.message", "unauthorized")) || + (contains("log.message", "gateway") && contains("log.message", "unknown")) || + (contains("log.message", "leaf node") && contains("log.message", "unauthorized")) || + (equals("log.severity", "ERROR") && contains("log.message", "route") && contains("log.message", "TLS")) +) +', '2026-02-09 16:39:13.372724', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (363, 'NATS Credential Theft Detection', 3, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects credential theft attempts in NATS including repeated authentication failures, token replay attempts, and unauthorized credential access patterns that go beyond simple JWT validation failures. + +Next Steps: +1. Review the authentication failure patterns and source hosts +2. Check if any stolen credentials were successfully used +3. Rotate compromised credentials immediately +4. Review NATS account and user configurations +5. Implement IP-based access restrictions +6. Monitor for lateral movement using stolen credentials +', '["https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro","https://attack.mitre.org/techniques/T1528/"]', 'exists("log.message") && +( + (contains("log.message", "authentication") && contains("log.message", "failed")) || + (contains("log.message", "Authorization") && contains("log.message", "Violation")) || + (contains("log.message", "nkey") && contains("log.message", "not found")) || + (contains("log.message", "token") && contains("log.message", "expired")) || + (contains("log.message", "credentials") && contains("log.message", "invalid")) || + (contains("log.message", "bad client credentials") && exists("origin.ip")) +) +', '2026-02-09 16:39:13.583614', true, false, 'origin', null, '[{"indexPattern":"v11-log-nats-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"},{"field":"log.message","operator":"filter_match","value":"authentication failed OR Authorization Violation OR credentials invalid"}],"or":null,"within":"now-10m","count":10}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (364, 'NATS Wildcard Subscription Monitoring Detection', 3, 1, 1, 'Collection', 'T1040 - Network Sniffing', 'Detects NATS ">" wildcard subscriptions that capture all messages across all subjects. This pattern is used by attackers to intercept and monitor all messaging traffic within the NATS cluster. + +Next Steps: +1. Identify the client that created the wildcard subscription +2. Verify if the subscription is from a legitimate monitoring service +3. Review the account and user permissions for the subscriber +4. Remove unauthorized wildcard subscriptions +5. Implement subject-level ACLs to restrict subscriptions +6. Monitor the subscriber for data exfiltration +', '["https://docs.nats.io/nats-concepts/subjects#wildcards","https://attack.mitre.org/techniques/T1040/"]', 'exists("log.message") && +( + regexMatch("log.message", "(?i)subscribe\\s+>") || + (contains("log.message", "SUB >") && !contains("log.message", "system")) || + (contains("log.message", "subscription") && contains("log.message", ">") && !contains("log.message", "_INBOX")) || + (contains("log.message", "wildcard") && contains("log.message", "subscription")) +) +', '2026-02-09 16:39:13.727650', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (365, 'Traefik Docker/Kubernetes Provider Exploitation Detection', 3, 3, 3, 'Container Exploitation', 'T1610 - Deploy Container', 'Detects exploitation of Traefik''s Docker or Kubernetes provider integration. Attackers can manipulate container labels or Kubernetes annotations to inject malicious routing rules, redirect traffic, or gain access to internal services. + +Next Steps: +1. Review recent Docker/Kubernetes label and annotation changes +2. Check for unauthorized routing rules in Traefik configuration +3. Verify container deployments are from authorized registries +4. Review Traefik provider configuration for excessive permissions +5. Restrict Docker socket access and Kubernetes RBAC +6. Monitor for unauthorized traffic routing changes +', '["https://doc.traefik.io/traefik/providers/docker/","https://attack.mitre.org/techniques/T1610/"]', 'exists("log.message") && +( + (contains("log.message", "provider") && contains("log.message", "docker") && contains("log.message", "error")) || + (contains("log.message", "provider") && contains("log.message", "kubernetes") && contains("log.message", "error")) || + (contains("log.message", "label") && contains("log.message", "traefik") && contains("log.message", "changed")) || + (contains("log.message", "router") && contains("log.message", "added") && !contains("log.message", "middleware")) || + (contains("log.message", "service") && contains("log.message", "created") && contains("log.message", "docker")) || + (contains("log.message", "ingress") && contains("log.message", "updated") && contains("log.message", "traefik")) +) +', '2026-02-09 16:39:13.867023', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (366, 'Traefik SSRF via Service Discovery Detection', 3, 2, 1, 'Server-Side Request Forgery', 'T1090 - Proxy', 'Detects SSRF attempts through Traefik service discovery mechanisms. Attackers manipulate service registrations or routing rules to force Traefik to proxy requests to internal services or cloud metadata endpoints. + +Next Steps: +1. Review the request for internal IP or metadata endpoint references +2. Check Traefik routing rules for unauthorized backend targets +3. Verify service discovery configurations for tampering +4. Implement IP allowlisting for backend services +5. Block access to metadata endpoints at the network level +6. Block the source IP if confirmed malicious +', '["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery","https://attack.mitre.org/techniques/T1090/"]', 'exists("origin.ip") && +( + (exists("origin.path") && ( + contains("origin.path", "169.254.169.254") || + contains("origin.path", "metadata.google.internal") || + regexMatch("origin.path", "(?i)https?://(127\\.0\\.0\\.1|localhost|0\\.0\\.0\\.0)") || + contains("origin.path", "file:///") || + contains("origin.path", "gopher://") + )) || + (exists("log.message") && ( + regexMatch("log.message", "(?i)backend.*127\\.0\\.0\\.1") || + regexMatch("log.message", "(?i)backend.*169\\.254\\.169\\.254") || + (contains("log.message", "service") && contains("log.message", "localhost")) + )) +) +', '2026-02-09 16:39:14.007307', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (367, 'Admin Account Compromise Indicators', 3, 3, 2, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts', 'Detects multiple failed admin login attempts followed by a successful login from the same IP address, indicating potential account compromise through credential stuffing or brute force attacks. + +Next Steps: +1. Review the source IP address and check if it''s from an expected location +2. Contact the admin user to verify if the login was legitimate +3. Check for any suspicious activities performed after the successful login +4. Review other authentication logs from the same IP address +5. Consider implementing IP-based access controls for admin accounts +6. Enable multi-factor authentication if not already configured +7. Reset the compromised admin account password if unauthorized access is confirmed +', '["https://attack.mitre.org/techniques/T1078/","https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes"]', 'equals("log.logid", "0100032001") && +equals("log.type", "event") && +equals("log.subtype", "system") && +equals("log.logdesc", "Admin login successful") && +exists("origin.ip") && +exists("log.user") +', '2026-02-09 16:41:54.437750', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.logdesc","operator":"filter_term","value":"Admin login failed"},{"field":"log.user","operator":"filter_term","value":"{{log.user}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (368, 'Fortinet Antivirus Malware Outbreak Detection', 3, 3, 2, 'Initial Access', 'T1566 - Phishing', 'Detects potential malware outbreak when multiple antivirus detections occur from the same source or targeting multiple destinations in a short time period. This could indicate a widespread infection attempt or a compromised system attempting to spread malware. + +Next Steps: +1. Identify the specific malware detected by reviewing the virus field in the alert details +2. Isolate the affected source IP addresses to prevent further spread +3. Check if the blocked malware attempts indicate successful infections on any endpoints +4. Review antivirus logs for the specific virus signature to understand the threat +5. Scan all systems that communicated with the identified source IPs +6. Update antivirus signatures and ensure all endpoints are protected +7. Consider blocking the source IP at the perimeter if it''s external +8. Document all affected systems and remediation actions taken +', '["https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/198726/antivirus","https://attack.mitre.org/techniques/T1566/"]', 'equals("log.type", "utm") && +equals("log.subtype", "virus") && +equals("action", "blocked") && +(exists("origin.ip") || exists("target.ip")) +', '2026-02-09 16:41:54.583358', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"log.type","operator":"filter_term","value":"utm"},{"field":"log.subtype","operator":"filter_term","value":"virus"},{"field":"action","operator":"filter_term","value":"blocked"}],"or":null,"within":"now-1h","count":5}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (369, 'FortiGate Admin Login from Unusual Source', 3, 2, 1, 'Initial Access', 'T1078 - Valid Accounts', 'Detects FortiGate admin logins from unusual or external IP addresses. Successful administrative access from non-management networks may indicate credential compromise. + +Next Steps: +1. Verify the login was performed by a legitimate administrator +2. Check the geographic location of the source IP +3. Review actions performed during the admin session +4. Verify if trusted host restrictions are configured for admin accounts +5. Enable MFA for administrator accounts if not already active +6. If unauthorized, disable the account and audit recent changes +', '["https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes","https://attack.mitre.org/techniques/T1078/"]', 'equals("log.logid", "0100032001") && +equals("log.type", "event") && +equals("log.subtype", "system") && +equals("log.logdesc", "Admin login successful") && +exists("origin.ip") && +!inCIDR("origin.ip", "10.0.0.0/8") && +!inCIDR("origin.ip", "172.16.0.0/12") && +!inCIDR("origin.ip", "192.168.0.0/16") && +!inCIDR("origin.ip", "127.0.0.0/8") +', '2026-02-09 16:41:54.727193', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (370, 'Data Loss Prevention Trigger', 3, 2, 1, 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 'Detects attempts to exfiltrate sensitive data that triggers DLP policies. This includes detection of credit card numbers, social security numbers, PII, financial records, and other regulated data attempting to leave the network. + +Next Steps: +1. Identify the source IP and user associated with the DLP violation +2. Review the DLP profile that was triggered to understand what type of sensitive data was involved +3. Check if this is part of a pattern of data exfiltration attempts from the same source +4. Verify if the blocked action was legitimate business activity or potential data theft +5. Review other logs from the same source IP for suspicious activities +6. Contact the user if needed to understand the context of the attempted data transfer +7. Consider implementing additional access controls if unauthorized access to suspected +', '["https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/153498/data-loss-prevention","https://attack.mitre.org/techniques/T1048/"]', '(equals("log.subtype", "dlp") && equals("log.action", "blocked")) || +(contains("log.msg", "DLP sensor")) || +(contains("log.msg", "sensitive data detected")) || +(exists("log.dlp_profile") && equals("log.dlp_action", "block")) || +(contains("log.msg", "Data pattern matched")) +', '2026-02-09 16:41:54.862436', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"log.subtype","operator":"filter_term","value":"dlp"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.dlp_profile","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (371, 'FortiGate VPN Authentication Brute Force', 3, 2, 1, 'Credential Access', 'T1133 - External Remote Services', 'Detects multiple SSL-VPN or IPsec VPN authentication failures from the same source IP on FortiGate, indicating brute force or credential stuffing attacks against remote access services. + +Next Steps: +1. Investigate the source IP and check threat intelligence databases +2. Review if the targeted user accounts exist and are active +3. Check for any successful VPN connections following the failures +4. Consider blocking the source IP or geo-restricting VPN access +5. Enable MFA for VPN access if not already configured +6. Check if the VPN portal is exposed to the internet unnecessarily +', '["https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes","https://attack.mitre.org/techniques/T1133/"]', 'equals("log.type", "event") && +(equals("log.subtype", "vpn") || contains("log.msg", "vpn")) && +(contains("log.msg", ["ssl-login-fail", "tunnel-down", "negotiation-error", "auth-fail"]) || + contains("log.logdesc", ["SSL VPN login fail", "IPsec phase1 negotiation failed", "VPN tunnel down"])) && +exists("origin.ip") +', '2026-02-09 16:41:55.007696', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":10}]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (372, 'Fortinet IPS Critical Severity Detection', 3, 3, 2, 'Execution', 'T1203 - Exploitation for Client Execution', 'Detects critical severity IPS events indicating active exploitation attempts or severe security threats targeting the network. + +Next Steps: +1. Immediately investigate the source IP address and determine if it''s malicious +2. Check if the attack was successfully blocked by reviewing firewall logs +3. Identify the specific vulnerability or attack pattern that triggered the IPS alert +4. Review other security events from the same source IP across all systems +5. Consider blocking the source IP at the perimeter if multiple critical attacks are detected +6. Update IPS signatures and verify all systems are patched against the detected vulnerability +7. Document the incident and notify the security team if this is part of a larger campaign +', '["https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/331728/ips-sensors","https://attack.mitre.org/techniques/T1203/"]', 'contains("log.msg", "type=utm") && contains("log.msg", "subtype=ips") && (contains("log.msg", "severity=critical") || contains("log.msg", "severity=high")) && contains("log.msg", "action=blocked")', '2026-02-09 16:41:55.147127', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortigate-traffic-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (697, 'Windows: PowerShell Kerberos Ticket Request', 3, 2, 1, 'Credential Access', 'T1059 - Command and Scripting Interpreter', 'Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1059/"]', 'regexMatch("log.message", "(KerberosRequestorSecurityToken)")', '2026-02-09 16:57:29.208224', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (373, 'FortiSandbox Malicious File Detection', 3, 3, 2, 'Execution', 'T1204 - User Execution', 'Detects when FortiSandbox identifies a file as malicious based on behavioral analysis and static scanning. This indicates active malware attempting to infiltrate the network through file transfers or downloads. + +Next Steps: +- Immediately isolate the source IP address and affected systems +- Identify the file hash and search for other instances across the network +- Review network traffic from the source IP for additional suspicious activity +- Check if the malicious file was successfully blocked or if remediation is needed +- Update endpoint protection signatures with the identified file hash +- Investigate the user account associated with the file download/transfer +- Document the incident and notify the security team for further analysis +', '["https://docs.fortinet.com/document/fortisandbox/4.4.0/administration-guide/274898/how-files-determined-to-be-suspicious-low-medium-or-high","https://attack.mitre.org/techniques/T1204/"]', '(equals("log.subtype", "sandbox") && equals("log.verdict", "malicious")) || +(contains("log.msg", "sandbox verdict: malicious")) || +(equals("log.risk", "high") && equals("log.subtype", "sandbox")) || +(contains("log.msg", "FortiSandbox detected malware")) || +(contains("log.msg", "verdict=malicious")) || +(contains("log.msg", "subtype=sandbox") && contains("log.msg", "malicious")) +', '2026-02-09 16:41:55.296635', true, false, 'origin', null, '[]', '["lastEvent.log.filehash","adversary.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (374, 'FortiWeb Authentication Bypass Attempt Detected', 3, 3, 1, 'Defense Evasion, Persistence, Privilege Escalation, Initial Access', 'T1078 - Valid Accounts', 'Detects authentication bypass attempts including direct access to protected resources, authentication flow manipulation, and credential stuffing attacks on FortiWeb protected applications. + +Next Steps: +1. Review the source IP address and check if it''s from a known location or VPN service +2. Examine the specific authentication bypass technique attempted (check log.attack_type and log.msg fields) +3. Verify if any successful authentication occurred from the same IP address +4. Check for other attack patterns from the same source IP in the last 24 hours +5. Consider blocking the source IP if multiple bypass attempts are confirmed +6. Review application logs for any successful unauthorized access +7. Validate that authentication mechanisms are properly configured and up to date +', '["https://docs.fortinet.com/document/fortiweb/7.2.2/log-message-reference/252057/event","https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") && +equals("log.type", "attack") && +( + equals("log.subtype", "account-lockout-detection") || + contains("log.msg", "authentication") || + contains("log.msg", "Authentication") || + contains("log.msg", "bypass") || + contains("log.msg", "unauthorized access") || + equals("log.attack_type", "auth_bypass") || + contains("log.trigger_policy", "auth") +) && +oneOf("action", ["deny", "alert", "block"]) +', '2026-02-09 16:41:55.436697', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (375, 'FortiWeb File Upload Security Violation Detected', 3, 3, 2, 'Resource Development', 'T1608 - Stage Capabilities: Upload Malware', 'Detects file upload security violations including malicious file uploads, oversized files, restricted file types, and potential web shell upload attempts on FortiWeb protected applications. These violations could indicate attempts to upload malicious files, web shells, or bypass upload restrictions. + +Next Steps: +1. Review the blocked file upload attempt details, including file name, type, and size +2. Check if the source IP has made multiple file upload attempts in a short period +3. Examine the web application logs for the specific URL path being targeted +4. Verify if the file upload restriction policy is appropriate for the application +5. If malicious activity is confirmed, consider blocking the source IP temporarily +6. Review other requests from the same source IP for reconnaissance patterns +7. Check if similar file upload attempts have been made to other applications +', '["https://docs.fortinet.com/document/fortiweb/7.2.2/log-message-reference/252057/event","https://attack.mitre.org/techniques/T1608/","https://attack.mitre.org/techniques/T1505/003/"]', 'exists("origin.ip") && +( + contains("log.msg", "file upload") || + contains("log.msg", "File upload") || + contains("log.msg", "malicious file") || + contains("log.msg", "file type") || + contains("log.msg", "file size") || + contains("log.msg", "anti-virus") || + contains("log.msg", "upload violation") || + contains("log.msg", "upload blocked") +) +', '2026-02-09 16:41:55.567321', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (376, 'FortiWeb SQL Injection Attack Detection', 3, 3, 2, 'Web Application Attack', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection attacks identified by FortiWeb WAF signatures. Multiple SQLi attempts from the same source indicate a targeted attack against database-backed applications. + +Next Steps: +1. Review the specific SQL injection payloads to assess severity +2. Check if the target application is vulnerable to the attempted injection +3. Verify the attack was blocked by FortiWeb +4. Review application logs for any successful SQLi exploitation +5. Investigate the source IP for additional attack patterns +6. Update WAF signatures and consider implementing parameterized queries +', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) && +(regexMatch("log.msg", "(?i)(sql.*inject|union.*select|concat.*0x|xp_cmdshell|information_schema|benchmark.*sleep|extractvalue|updatexml|load_file|into.*outfile)") || + contains("log.attack_type", "sql_injection") || + contains("log.signature", "SQL Injection")) +', '2026-02-09 16:41:55.712275', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (377, 'FortiWeb SSRF Attack Detection', 3, 2, 1, 'Web Application Attack', 'T1190 - Exploit Public-Facing Application', 'Detects Server-Side Request Forgery (SSRF) attacks identified by FortiWeb. SSRF attacks force the server to make requests to internal resources, potentially accessing cloud metadata services, internal APIs, or other restricted endpoints. + +Next Steps: +1. Review the SSRF payload to identify the target internal resource +2. Check if cloud metadata endpoints (169.254.169.254) were targeted +3. Verify the application is not vulnerable to SSRF +4. Review application code for user-controlled URL parameters +5. Implement URL allowlisting for server-side requests +6. Check for any successful SSRF exploitation in application logs +', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) && +(regexMatch("log.msg", "(?i)(ssrf|server.*side.*request.*forg|169\\.254\\.169\\.254|metadata.*api|internal.*service|localhost|127\\.0\\.0\\.1.*redirect|0x7f000001|file:///|gopher://)") || + contains("log.attack_type", "ssrf") || + contains("log.signature", "SSRF")) +', '2026-02-09 16:41:55.862301', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (378, 'FortiWeb Web Shell Upload Detection', 3, 3, 3, 'Persistence', 'T1505.003 - Server Software Component: Web Shell', 'Detects web shell upload attempts blocked or detected by FortiWeb. Web shells provide persistent remote access and command execution on compromised web servers. + +Next Steps: +1. Verify if the upload attempt was blocked or if it succeeded +2. Review the uploaded file name and extension for known web shell patterns +3. Scan the web server for existing web shells that may have been uploaded earlier +4. Check the upload endpoint for proper file validation controls +5. Review the source IP for additional attack attempts +6. If a web shell was successfully uploaded, immediately isolate the server +', '["https://docs.fortinet.com/document/fortiweb/7.4.3/administration-guide/210196/blocking-known-attacks","https://attack.mitre.org/techniques/T1505/003/"]', 'oneOf("action", ["deny", "block", "alert_deny", "alert"]) && +(regexMatch("log.msg", "(?i)(web.*shell|backdoor.*upload|cmd.*shell|reverse.*shell|\.php.*upload|\.asp.*upload|\.jsp.*upload|c99|r57|china.*chopper|weevely|b374k)") || + (contains("log.attack_type", "file_upload") && contains("log.msg", ["shell", "backdoor", "malicious"])) || + regexMatch("log.msg", "(?i)(file.*upload.*violat|upload.*restrict|dangerous.*file.*type)")) +', '2026-02-09 16:41:56.004881', true, false, 'origin', null, '[]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (379, 'FortiWeb OWASP Top 10 Violation Attempts', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects attempts to exploit OWASP Top 10 vulnerabilities including injection flaws, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, and more. This rule triggers when FortiWeb blocks or alerts on attack attempts that match known OWASP Top 10 vulnerability patterns. + +Next Steps: +1. Review the blocked request details in FortiWeb logs to understand the attack vector +2. Check if the source IP has attempted multiple different attack types +3. Verify if the targeted application has any known vulnerabilities +4. Consider blocking the source IP if attacks persist +5. Review application security headers and WAF rules for the targeted resource +6. Check for any successful requests from the same source IP before the block +7. Analyze the specific OWASP category and implement additional protections +8. Review application code for the detected vulnerability type +', '["https://docs.fortinet.com/document/fortiweb-cloud/23.3.0/user-guide/552829/known-attacks","https://owasp.org/www-project-top-ten/","https://attack.mitre.org/techniques/T1190/"]', 'oneOf("action", ["deny", "alert_deny", "block", "blocked"]) && +regexMatch("log.msg", "(?i)(injection|traversal|xxe|xml external entity|broken auth|sensitive data|security misconfig|owasp|sqli|xss|csrf|command injection|path traversal|lfi|rfi|deserialization)") +', '2026-02-09 16:41:56.147214', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (380, 'FortiWeb Web Application Attack Detection', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection, XSS, and other web application attacks blocked by FortiWeb WAF based on signature or syntax-based detection. These attacks attempt to exploit vulnerabilities in web applications to gain unauthorized access, steal data, or compromise application integrity. + +Next Steps: +1. Review the specific attack type and payload in the FortiWeb logs +2. Check if the source IP has a history of malicious activity +3. Verify if the targeted application has known vulnerabilities +4. Review application logs for any successful exploitation attempts +5. Consider blocking the source IP if attacks persist +6. Ensure WAF rules are up-to-date and properly configured +7. Implement additional application-level security controls if needed +8. Check for any bypass attempts or evasion techniques being used +', '["https://docs.fortinet.com/document/fortiweb/7.6.0/administration-guide/981691/syntax-based-sql-xss-injection-detection","https://attack.mitre.org/techniques/T1190/"]', 'equals("action", "deny") && +( + equals("log.type", "attack") || + equals("log.subtype", "waf") || + oneOf("log.attack_type", ["SQL Injection", "Cross Site Scripting", "XSS", "SQLi"]) || + contains("log.message", "sql injection") || + contains("log.message", "SQL injection") || + contains("log.message", "cross site scripting") || + contains("log.message", "Cross Site Scripting") || + contains("log.message", "xss") || + contains("log.message", "XSS") || + contains("log.message", "sqli") || + contains("log.message", "SQLi") || + equals("log.main_type", "SQL/XSS Syntax Based Detection") +) +', '2026-02-09 16:41:56.287116', true, false, 'origin', null, '[{"indexPattern":"v11-log-firewall-fortiweb-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"},{"field":"action","operator":"filter_term","value":"deny"}],"or":null,"within":"now-15m","count":3}]', '["adversary.ip","target.ip"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (381, 'GitHub Action Secret Access Activity', 3, 3, 1, 'Collection', 'T1552 - Unsecured Credentials', 'Detects access, modification, or suspicious activities related to GitHub Action secrets. This could indicate attempts to steal credentials, API keys, or other sensitive information stored in repository or organization secrets. + +Next Steps: +1. Review the GitHub audit logs to identify who accessed or modified the secrets +2. Check if the user performing the action has legitimate business need for secret access +3. Verify if any secrets were exposed in workflow logs or outputs +4. Rotate any potentially compromised secrets immediately +5. Review repository and organization permissions to ensure proper access controls +6. Check for any unusual API calls or automated scripts accessing secrets +7. Enable secret scanning alerts if not already configured +8. Consider implementing additional controls like environment-specific secrets and approval workflows +', '["https://docs.github.com/en/actions/security-guides/encrypted-secrets","https://attack.mitre.org/techniques/T1552/"]', 'oneOf("log.action", ["secret.create", "secret.update", "secret.remove"]) || +oneOf("log.action", ["actions.secret.create", "actions.secret.update", "actions.secret.remove", "dependabot.secret.create", "dependabot.secret.update", "dependabot.secret.remove"]) +', '2026-02-09 16:41:56.417751', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.action","operator":"filter_match","value":"secret"}],"or":null,"within":"now-1h","count":3}]', '["lastEvent.log.action","lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (382, 'GitHub CODEOWNERS File Modification', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects modifications to CODEOWNERS files which define required reviewers for code changes. Attackers may modify CODEOWNERS to remove review requirements for sensitive paths, enabling them to merge malicious code without proper review. + +Next Steps: +1. Review the CODEOWNERS file changes and identify removed or modified ownership rules +2. Check if critical paths (workflows, configs, secrets) lost their code owners +3. Verify the committer is an authorized repository administrator +4. Review PRs merged after the CODEOWNERS change for unreviewed code +5. Check if branch protection still requires CODEOWNERS review +6. If unauthorized, revert the CODEOWNERS change and review recent merges +7. Implement branch protection rules requiring CODEOWNERS approval +8. Set up alerts on changes to repository configuration files +', '["https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.action", "git.push") || equals("log.action", "repo.update_file")) && +exists("log.senderLogin") && +contains("log.commitMessage", "CODEOWNERS") +', '2026-02-09 16:41:56.557312', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"}],"or":null,"within":"now-24h","count":2}]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (383, 'GitHub Dependabot Configuration Poisoning', 2, 3, 1, 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 'Detects modifications to dependabot.yml configuration files that could redirect dependency updates to malicious registries or introduce malicious packages. Attackers may modify the Dependabot configuration to substitute legitimate dependencies with malicious alternatives. + +Next Steps: +1. Review the dependabot.yml changes for suspicious registry configurations +2. Check if custom registries point to legitimate package repositories +3. Verify the committer is an authorized repository maintainer +4. Review recently opened Dependabot PRs for unexpected dependency changes +5. Check if any malicious packages were introduced through dependency updates +6. If malicious, revert the configuration and audit all recent dependency changes +7. Implement CODEOWNERS to require review for configuration file changes +8. Enable dependency review for pull requests +', '["https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates","https://attack.mitre.org/techniques/T1195/002/"]', '(equals("log.action", "git.push") || equals("log.action", "repo.update_file")) && +exists("log.senderLogin") && +contains("log.commitMessage", "dependabot") +', '2026-02-09 16:41:56.687351', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.repositoryName","operator":"filter_term","value":"{{log.repositoryName}}"},{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"}],"or":null,"within":"now-24h","count":2}]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (384, 'GitHub App Installation Token Suspicious Access', 2, 2, 1, 'Credential Access', 'T1528 - Steal Application Access Token', 'Detects suspicious GitHub App installation and token activity from unexpected sources. Attackers who steal GitHub App private keys can generate installation tokens for any organization that installed the app, gaining broad access to repositories. + +Next Steps: +1. Review the GitHub App installation and its configured permissions +2. Verify the installation was authorized by an organization administrator +3. Check the App''s webhook delivery history for unexpected endpoints +4. Review repository access granted by the App installation +5. Examine recent API calls made using the App''s installation token +6. If compromised, revoke the App installation and rotate its private key +7. Review all repositories the App had access to for unauthorized changes +8. Implement IP allow-listing for the GitHub App +', '["https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app","https://attack.mitre.org/techniques/T1528/"]', '(equals("log.action", "integration_installation.create") || + equals("log.action", "integration_installation.repositories_added") || + equals("log.action", "integration_installation.unsuspend")) && +exists("log.senderLogin") +', '2026-02-09 16:41:56.832339', true, false, 'origin', null, '[]', '["lastEvent.log.action","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (385, 'GitHub Environment Protection Rule Bypass', 2, 3, 1, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects changes to GitHub environment protection rules including removal of required reviewers, wait timers, or branch restrictions. Attackers may modify these protections to deploy malicious code to production environments without approval. + +Next Steps: +1. Verify the environment protection change was authorized +2. Review the specific protections that were modified or removed +3. Check which deployment environment was affected (production, staging) +4. Review recent deployments to the affected environment +5. Verify the repository admin making the change +6. If unauthorized, restore the environment protection rules immediately +7. Review deployment logs for unauthorized deployments during the protection gap +8. Implement required reviewers for critical environment changes +', '["https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment","https://attack.mitre.org/techniques/T1562/001/"]', '(equals("log.action", "environment.update_protection_rule") || + equals("log.action", "environment.delete_protection_rule") || + equals("log.action", "environment.update") || + equals("log.action", "environment.delete")) && +exists("log.senderLogin") +', '2026-02-09 16:41:56.982773', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (386, 'GitHub Mass Repository Cloning Detection', 3, 2, 1, 'Collection', 'T1213 - Data from Information Repositories', 'Detects when multiple repositories are cloned or accessed in a short time period, which could indicate data exfiltration or reconnaissance activities. This rule monitors for patterns of repository access that exceed normal user behavior, potentially indicating an insider threat or compromised account attempting to steal source code. + +Next Steps: +1. Review the user account activity to determine if this is legitimate behavior +2. Check if the user typically accesses multiple repositories as part of their role +3. Verify if the account shows signs of compromise (unusual login locations, times, or authentication methods) +4. Review which repositories were accessed and determine their sensitivity +5. Contact the user to verify the activity if suspicious +6. Consider temporarily suspending the account if malicious activity is confirmed +7. Review access logs for the specific repositories that were cloned +8. Check for any data downloads or exports from the same user session +', '["https://docs.github.com/en/webhooks/webhook-events-and-payloads#push","https://attack.mitre.org/techniques/T1213/"]', '(equals("log.action", "clone") || + equals("log.action", "git.clone") || + equals("log.action", "git.fetch")) && +exists("log.repositoryName") && +exists("log.senderLogin") +', '2026-02-09 16:41:57.122256', true, false, 'origin', null, '[{"indexPattern":"v11-log-github-*","with":[{"field":"log.senderLogin","operator":"filter_term","value":"{{log.senderLogin}}"},{"field":"log.action","operator":"filter_match","value":"clone fetch"}],"or":null,"within":"now-30m","count":10}]', '["lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (387, 'GitHub Repository Visibility Changed to Public', 3, 2, 1, 'Data Exfiltration', 'T1537 - Transfer Data to Cloud Account', 'Detects when a private repository''s visibility is changed to public, potentially exposing proprietary source code, credentials, and sensitive configuration. This is a critical event that can lead to data exposure and intellectual property theft. + +Next Steps: +1. Immediately verify if the visibility change was authorized +2. Review the repository contents for secrets, credentials, and proprietary code +3. Check if the repository was cloned or forked after becoming public +4. Scan the repository for exposed API keys, passwords, and tokens +5. If unauthorized, immediately revert the repository to private +6. Rotate any secrets or credentials found in the repository +7. Review the repository''s commit history for sensitive data +8. Implement organization policy to prevent public repository creation +', '["https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility","https://attack.mitre.org/techniques/T1537/"]', '(equals("log.action", "repo.access") || + equals("log.action", "repo.visibility_change") || + equals("log.action", "repo.update")) && +equals("log.visibility", "public") && +exists("log.senderLogin") +', '2026-02-09 16:41:57.262033', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (388, 'GitHub Organization Member to Owner Role Escalation', 3, 3, 2, 'Privilege Escalation', 'T1098 - Account Manipulation', 'Detects escalation of GitHub organization member roles from member to owner. Organization owners have full administrative access including managing billing, teams, repositories, and security settings. Unauthorized role escalation can lead to complete organizational compromise. + +Next Steps: +1. Verify the role change was authorized by an existing organization owner +2. Review the user being promoted and their business justification +3. Check if the promoting owner''s account shows signs of compromise +4. Review the new owner''s recent activities post-escalation +5. Check for changes to organization settings, webhooks, or security configurations +6. If unauthorized, immediately demote the user and investigate the promoting account +7. Enable required two-factor authentication for all organization owners +8. Implement audit log streaming for real-time organization event monitoring +', '["https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization","https://attack.mitre.org/techniques/T1098/"]', '(equals("log.action", "org.update_member") || + equals("log.action", "org.add_member")) && +equals("log.permission", "admin") && +exists("log.senderLogin") +', '2026-02-09 16:41:57.407580', true, false, 'origin', null, '[]', '["lastEvent.log.senderLogin","lastEvent.log.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (389, 'GitHub Self-Hosted Runner Compromise Detection', 3, 3, 2, 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 'Detects suspicious self-hosted runner operations including unexpected runner registration, deregistration, or workflows specifically targeting self-hosted runners. Compromised self-hosted runners can provide access to the internal network and secrets stored on the runner machine. + +Next Steps: +1. Verify the runner registration or deregistration was authorized +2. Review the runner''s labels and the workflows targeting it +3. Check if the runner machine has been compromised +4. Review secrets and environment variables accessible to the runner +5. Examine recent workflow runs on the affected runner for malicious jobs +6. If compromised, deregister the runner and re-image the machine +7. Rotate all secrets and tokens accessible to the runner +8. Implement runner groups with restricted repository access +', '["https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners","https://attack.mitre.org/techniques/T1195/002/"]', '(equals("log.action", "self_hosted_runner.register") || + equals("log.action", "self_hosted_runner.remove") || + equals("log.action", "self_hosted_runner.update") || + equals("log.action", "self_hosted_runner_group.create") || + equals("log.action", "self_hosted_runner_group.update")) && +exists("log.senderLogin") +', '2026-02-09 16:41:57.567191', true, false, 'origin', null, '[]', '["lastEvent.log.action","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (390, 'GitHub Secret Scanning Alert Detected', 3, 2, 1, 'Credential Access', 'T1552: Unsecured Credentials', 'Detects when GitHub''s secret scanning feature identifies potential secrets, API keys, or credentials committed to a repository. This could indicate inadvertent exposure of sensitive information that could be exploited by attackers. + +Next Steps: +1. Immediately review the alert details to identify the exposed secret type and location +2. Rotate or revoke the exposed credential immediately +3. Remove the secret from the repository history using git filter-branch or BFG Repo-Cleaner +4. Audit access logs for any unauthorized use of the exposed credential +5. Review commit history to identify who committed the secret +6. Implement pre-commit hooks to prevent future secret exposures +7. Enable push protection in GitHub to prevent secrets from being pushed +', '["https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning","https://attack.mitre.org/techniques/T1552/"]', 'equals("log.action", "secret_scanning_alert.created") || equals("log.action", "secret_scanning.new_alert") || (equals("log.alert_type", "secret") && equals("log.state", "open"))', '2026-02-09 16:41:57.722013', true, false, 'origin', null, '[]', '["lastEvent.log.alert_number","lastEvent.log.repositoryName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (391, 'GitHub Sensitive Data Commit Detection', 3, 2, 1, 'Collection', 'T1074 - Data Staged', 'Detects commits that may contain sensitive data such as API keys, passwords, private keys, or other credentials based on commit message patterns or file names. + +Next Steps: +1. Review the commit content to verify if sensitive data was actually exposed +2. Check the repository visibility (public vs private) +3. If confirmed, immediately rotate any exposed credentials +4. Remove the sensitive data from repository history using git filter-branch or BFG Repo-Cleaner +5. Enable GitHub secret scanning for the repository +6. Review repository access logs to determine if the exposed data was accessed +7. Implement pre-commit hooks to prevent future credential commits +', '["https://docs.github.com/en/webhooks/webhook-events-and-payloads#push","https://attack.mitre.org/techniques/T1074/"]', 'equals("log.action", "push") && +(contains("log.headCommitAdded", ".pem") || + contains("log.headCommitAdded", ".key") || + contains("log.headCommitAdded", ".p12") || + contains("log.headCommitAdded", ".pfx") || + contains("log.headCommitAdded", "id_rsa") || + contains("log.headCommitAdded", "id_dsa") || + contains("log.headCommitModified", ".pem") || + contains("log.headCommitModified", ".key") || + contains("log.headCommitModified", ".p12") || + contains("log.headCommitModified", ".pfx") || + contains("log.headCommitModified", "id_rsa") || + contains("log.headCommitModified", "id_dsa")) +', '2026-02-09 16:41:57.882248', true, false, 'origin', null, '[]', '["lastEvent.log.headCommitId","lastEvent.log.repositoryName"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (392, 'GitHub Workflow pull_request_target Injection', 3, 3, 1, 'Supply Chain Compromise', 'T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools', 'Detects modifications to GitHub Actions workflow files that may introduce pull_request_target trigger abuse. This trigger runs with repository write permissions and secrets access even on forked PRs, making it a high-value target for supply chain attacks. + +Next Steps: +1. Review the workflow file changes for pull_request_target trigger usage +2. Check if the workflow checks out PR head code (dangerous with pull_request_target) +3. Verify the committer is an authorized repository maintainer +4. Review the workflow for unsafe uses of PR title, body, or labels in script context +5. Check for recent fork-based PRs that could exploit the workflow +6. If malicious, revert the workflow change and review PR history +7. Implement branch protection requiring code review for workflow changes +8. Use workflow_run instead of pull_request_target where possible +', '["https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target","https://attack.mitre.org/techniques/T1195/001/"]', '(equals("log.action", "workflows.completed_workflow_run") || + equals("log.action", "workflows.created_workflow_run")) && +exists("log.senderLogin") && +(contains("log.workflowFileName", "pull_request_target") || + contains("log.event", "pull_request_target")) +', '2026-02-09 16:41:58.042469', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (393, 'GitHub Workflow Modifications Detected', 3, 3, 2, 'Initial Access', 'T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools', 'Detects modifications to GitHub Actions workflows which could be used to inject malicious code into the CI/CD pipeline or steal secrets. Attackers may modify workflows to execute arbitrary code, exfiltrate secrets, or compromise the software supply chain. + +Next Steps: +1. Review the modified workflow files to identify any suspicious changes or additions +2. Check if the user who made the modifications has legitimate access and business justification +3. Look for any attempts to access secrets or environment variables in the workflow +4. Verify if any external actions or Docker images were added that could be malicious +5. Review commit history and pull request approvals for the workflow changes +6. Consider temporarily disabling the workflow if suspicious activity is confirmed +7. Audit repository access permissions and enable branch protection rules for workflow files +8. Check for any unusual timing of modifications (off-hours, weekends) +9. Verify the integrity of the repository and look for other suspicious activities +10. Review access logs for the user account that made the modifications +', '["https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows","https://attack.mitre.org/techniques/T1195/001/"]', '(equals("log.action", "workflows.updated") || + equals("log.action", "workflows.created") || + equals("log.action", "workflow_run.completed") || + equals("log.action", "workflow_dispatch")) && +exists("log.repositoryName") && +exists("log.senderLogin") && +(contains("log.headCommitModified", ".github/workflows/") || + contains("log.headCommitAdded", ".github/workflows/") || + contains("log.path", ".github/workflows/") || + contains("log.filename", ".github/workflows/")) +', '2026-02-09 16:41:58.207656', true, false, 'origin', null, '[]', '["lastEvent.log.repositoryName","lastEvent.log.senderLogin"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (396, 'IBM AIX NIM Master Exploitation Detection', 3, 3, 3, 'Lateral Movement', 'T1210 - Exploitation of Remote Services', 'Detects exploitation of IBM AIX Network Installation Management (NIM) master to deploy malicious packages, modify client configurations, or perform lateral movement across AIX infrastructure. + +Next Steps: +1. Verify the NIM operations were authorized +2. Review NIM client configurations for unauthorized changes +3. Check for malicious LPP/installp packages in NIM resources +4. Verify NIM master access controls +5. Review NIM client machine definitions +6. Audit NIM operation logs for unauthorized deployments +', '["https://www.ibm.com/docs/en/aix/7.2?topic=management-network-installation-nim","https://attack.mitre.org/techniques/T1210/"]', 'exists("log.message") && +( + (contains("log.message", "nim") && ( + contains("log.message", "define") || + contains("log.message", "cust") || + contains("log.message", "maint") || + contains("log.message", "bos_inst") || + contains("log.message", "alt_disk_install") + )) || + (contains("log.message", "nimclient") && contains("log.message", "-o")) || + (contains("log.message", "NIM") && contains("log.message", "push") && contains("log.message", "operation")) || + (contains("log.message", "lpp_source") && contains("log.message", "define")) +) +', '2026-02-09 16:47:09.768567', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-aix-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (412, 'GraphQL Abuse Detection', 2, 1, 1, 'API Abuse', 'T1190 - Exploit Public-Facing Application', 'Detects GraphQL abuse patterns including introspection queries, query batching, deeply nested queries for DoS, and unauthorized schema discovery. These techniques are used to enumerate APIs and exploit GraphQL endpoints. + +Next Steps: +1. Review the GraphQL queries for malicious patterns +2. Check if introspection queries exposed the schema +3. Verify if query batching was used for brute force +4. Implement query depth limiting and complexity analysis +5. Disable introspection in production environments +6. Deploy rate limiting for GraphQL endpoints +', '["https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html","https://attack.mitre.org/techniques/T1190/"]', 'exists("origin.ip") && +( + regexMatch("raw", "(?i)\\{\\s*__schema\\s*\\{") || + contains("raw", "IntrospectionQuery") || + contains("raw", "introspectionQuery") || + regexMatch("raw", "(?i)(query|mutation)\\s*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{") +) +', '2026-02-09 16:47:12.188202', true, false, 'origin', null, '[{"indexPattern":"v11-log-json-input-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-15m","count":5}]', '["adversary.ip","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (394, 'IBM AIX Unauthorized Crontab Modification Detection', 2, 3, 2, 'Persistence', 'T1053.003 - Scheduled Task/Job: Cron', 'Detects unauthorized crontab modifications on IBM AIX systems that could indicate persistence establishment by an attacker. Monitors for crontab changes, at job submissions, and modifications to /var/spool/cron. + +Next Steps: +1. Review the crontab entries that were added or modified +2. Verify the user account making the changes +3. Check the scheduled commands for malicious payloads +4. Review /var/spool/cron for all user crontabs +5. Implement cron.allow/cron.deny restrictions +6. Monitor execution of suspicious scheduled tasks +', '["https://www.ibm.com/docs/en/aix/7.2?topic=c-crontab-command","https://attack.mitre.org/techniques/T1053/003/"]', 'exists("log.message") && +( + (contains("log.message", "crontab") && ( + contains("log.message", "EDIT") || + contains("log.message", "REPLACE") || + contains("log.message", "-e") || + contains("log.message", "installed") + )) || + (contains("log.message", "/var/spool/cron") && ( + contains("log.message", "modified") || + contains("log.message", "created") || + contains("log.message", "changed") + )) || + (contains("log.message", "at ") && contains("log.message", "job")) || + (contains("log.message", "cron") && contains("log.message", "CMD") && ( + contains("log.message", "/tmp/") || + contains("log.message", "wget") || + contains("log.message", "curl") || + contains("log.message", "bash -c") || + contains("log.message", "python") + )) +) +', '2026-02-09 16:47:09.477618', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (395, 'IBM AIX Unauthorized HMC Access Detection', 3, 3, 3, 'Unauthorized Access', 'T1078 - Valid Accounts', 'Detects unauthorized access to the IBM Hardware Management Console (HMC) that controls Power Systems hardware. HMC access allows management of LPARs, firmware, and hardware resources. + +Next Steps: +1. Verify the HMC access was from an authorized administrator +2. Review the HMC operations performed during the session +3. Check for LPAR configuration changes +4. Verify HMC user accounts and access controls +5. Review HMC audit logs for additional suspicious activity +6. Implement multi-factor authentication for HMC access +', '["https://www.ibm.com/docs/en/power9?topic=console-hardware-management","https://attack.mitre.org/techniques/T1078/"]', 'exists("log.message") && +( + (contains("log.message", "HMC") && ( + contains("log.message", "login") || + contains("log.message", "authentication") || + contains("log.message", "session") + )) || + (contains("log.message", "hmcshutdown") || contains("log.message", "hmcrestart")) || + contains("log.message", "chsyscfg") || + (contains("log.message", "lpar") && ( + contains("log.message", "activate") || + contains("log.message", "shutdown") || + contains("log.message", "migrate") + )) || + (contains("log.message", "Power Systems") && contains("log.message", "remote access")) +) +', '2026-02-09 16:47:09.612632', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-aix-*","with":[{"field":"origin.host","operator":"filter_term","value":"{{origin.host}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (397, 'IBM AIX Rootkit Indicator Detection', 3, 3, 3, 'Defense Evasion', 'T1014 - Rootkit', 'Detects AIX-specific rootkit indicators including hidden processes, modified system binaries, suspicious kernel extensions, and integrity violations in the Trusted Computing Base. + +Next Steps: +1. Run trustchk command to verify system binary integrity +2. Compare running processes with ps output for hidden processes +3. Check for modified shared libraries in /usr/lib +4. Review recently loaded kernel extensions +5. Initiate forensic investigation on the affected system +6. Consider rebuilding the system from trusted media +', '["https://www.ibm.com/docs/en/aix/7.2?topic=security-trusted-computing-base","https://attack.mitre.org/techniques/T1014/"]', 'exists("log.message") && +( + (contains("log.message", "trustchk") && contains("log.message", "FAIL")) || + (contains("log.message", "tcbck") && contains("log.message", "violation")) || + (contains("log.message", "TCB") && contains("log.message", "integrity")) || + (contains("log.message", "genkex") && contains("log.message", "unknown")) || + (contains("log.message", "/dev/kmem") && !equals("origin.user", "root")) || + (contains("log.message", "ld.so") && contains("log.message", "preload")) || + (contains("log.message", "LIBPATH") && contains("log.message", "modified")) || + contains("log.message", "LD_PRELOAD") +) +', '2026-02-09 16:47:09.917960', true, false, 'origin', null, '[]', '["adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (398, 'IBM AIX SSH Authorized Keys Manipulation Detection', 3, 3, 1, 'Persistence', 'T1098.004 - Account Manipulation: SSH Authorized Keys', 'Detects modifications to SSH authorized_keys files on IBM AIX systems. Attackers add their SSH public keys to maintain persistent access to compromised systems. + +Next Steps: +1. Review the authorized_keys file changes +2. Verify the added SSH keys belong to authorized users +3. Check which user accounts had keys modified +4. Remove unauthorized SSH keys immediately +5. Implement SSH key management policies +6. Monitor for SSH connections using the new keys +', '["https://www.ibm.com/docs/en/aix/7.2?topic=security-configuring-openssh","https://attack.mitre.org/techniques/T1098/004/"]', 'exists("log.message") && +( + (contains("log.message", "authorized_keys") && ( + contains("log.message", "modified") || + contains("log.message", "changed") || + contains("log.message", "written") || + contains("log.message", "appended") + )) || + (contains("log.message", ".ssh/authorized_keys") && exists("origin.user")) || + (contains("log.message", "ssh-rsa") && ( + contains("log.message", ">>") || + contains("log.message", "echo") + )) || + (contains("log.message", "sshd_config") && contains("log.message", "AuthorizedKeysFile")) +) +', '2026-02-09 16:47:10.048060', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (399, 'IBM AIX Intrusion Detection Alert', 3, 3, 2, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects intrusion attempts and security violations identified by the IBM AIX intrusion detection system, including suspicious activities, privilege escalation attempts, and potential system compromises. + +Next Steps: +1. Immediately isolate the affected system from the network to prevent lateral movement +2. Review the intrusion detection logs for specific details about the attack vector and affected resources +3. Check for any suspicious processes running with elevated privileges using ''ps aux'' and ''topas'' +4. Examine system integrity with ''trustchk'' command to verify critical system files +5. Review recent user authentication logs and check for unauthorized account creation or privilege changes +6. Collect forensic evidence including memory dumps, system logs, and file modifications +7. Apply security patches and update AIX security configurations based on the vulnerability exploited +8. Monitor related systems for similar intrusion attempts +9. Check for any unauthorized file modifications using ''find'' command with modification time filters +10. Review network connections and active ports using ''netstat'' and ''lsof'' commands +11. Validate system configuration against security baselines and hardening guides +12. Document the incident details and update security monitoring rules based on attack patterns +', '["https://www.ibm.com/docs/en/powersc-standard/2.1.0?topic=ids-configuring-intrusion-detection-prevention-idp-aix-endpoints","https://attack.mitre.org/techniques/T1068/"]', '( + equals("log.eventType", "ids") || + equals("log.eventType", "securityd") || + equals("log.eventType", "audit") || + contains("log.msg", "intrusion") || + contains("log.msg", "suspicious") || + contains("log.msg", "anomaly detected") +) && +( + contains("log.msg", "buffer overflow") || + contains("log.msg", "privilege escalation") || + contains("log.msg", "unauthorized modification") || + contains("log.msg", "rootkit") || + contains("log.msg", "backdoor") || + contains("log.msg", "suspicious process") || + contains("log.msg", "file integrity") || + contains("action", "ALERT") || + equals("log.returnCode", "1") +) +', '2026-02-09 16:47:10.192353', true, false, 'origin', null, '[]', '["target.host","target.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (400, 'IBM AIX Security Audit Subsystem Alert', 3, 3, 2, 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'Detects critical security events from the IBM AIX audit subsystem, including audit configuration changes, audit service disruptions, or attempts to tamper with audit logs. This rule identifies when the audit subsystem fails, is disabled, or when audit-related files are modified. + +Next Steps: +1. Verify the legitimacy of the audit subsystem changes with the system administrator +2. Check if this is part of scheduled maintenance or authorized configuration changes +3. Review the specific audit event type and return code for failure details +4. Examine the user account that performed the action and verify it has appropriate permissions +5. Investigate any recent changes to audit policies or configurations +6. Check for additional security events around the same time period +7. Verify audit log integrity and ensure no logs have been tampered with +8. Review system logs for any other indicators of compromise +', '["https://www.ibm.com/support/pages/aix-audit-audit-subsystem-aix","https://attack.mitre.org/techniques/T1562/"]', '(startsWith("log.eventType", "audit") && !equals("log.returnCode", "0")) || (contains("log.message", "audit") && (contains("log.message", "stop") || contains("log.message", "disable") || contains("log.message", "fail"))) || (equals("action", "FILE_MODIFY") && startsWith("log.objName", "/etc/security/audit/")) || (equals("log.commandType", "audit"))', '2026-02-09 16:47:10.337560', true, false, 'origin', null, '[]', '["lastEvent.log.eventType","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (401, 'IBM AIX System Integrity Violation Detected', 2, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal on Host', 'Detects attempts to compromise system integrity in IBM AIX, including unauthorized modifications to critical system files, audit tampering, security configuration changes, and privilege escalation attempts. This rule monitors for various indicators of system compromise including audit event tampering, security configuration file modifications, suspicious sudo usage, and privilege escalation attempts. + +Next Steps: +1. Immediately investigate the affected system and user account +2. Review audit logs for related suspicious activities +3. Check for unauthorized changes to system configuration files +4. Verify the legitimacy of any privilege escalation attempts +5. Monitor for additional indicators of compromise +6. Consider isolating the affected system if malicious activity is confirmed +7. Review backup and recovery procedures for critical system files +8. Examine command history and process execution logs +9. Validate user permissions and access controls +10. Check for presence of unauthorized tools or backdoors +', '["https://www.ibm.com/docs/en/ssw_aix_72/security/security_pdf.pdf","https://attack.mitre.org/techniques/T1070/"]', '(contains("log.eventType", "AUD_") && equals("action", "FILE_Write")) || (contains("log.objName", "/etc/security/") && equals("action", "FILE_Write")) || (equals("log.commandType", "sudo") && contains("origin.command", "passwd")) || (contains("log.msg", "audit") && contains("log.msg", "disable")) || (equals("log.osUserID", "root") && !equals("origin.user", "root"))', '2026-02-09 16:47:10.681940', true, false, 'origin', null, '[]', '["lastEvent.log.objName","adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (402, 'IBM AIX Trusted Computing Base Violation', 3, 3, 2, 'Defense Evasion', 'T1070 - Indicator Removal', 'Detects violations of the Trusted Computing Base (TCB) in IBM AIX, including unauthorized modifications to critical system files, security database tampering, or attempts to modify files protected by TCB. TCB violations indicate potential system compromise or unauthorized privilege escalation attempts. + +Next Steps: +1. Immediately investigate the user account and source host involved in the TCB violation +2. Review the specific object/file that was modified and assess the impact +3. Check system logs for any related authentication failures or privilege escalation attempts +4. Verify the integrity of critical system files using tcbck command +5. Review recent system changes and patches that might have triggered legitimate TCB events +6. If malicious activity is confirmed, isolate the affected system and initiate incident response procedures +7. Consider running a full system integrity check and malware scan +', '["https://www.ibm.com/docs/en/aix/7.2?topic=configuration-trusted-computing-base","https://attack.mitre.org/techniques/T1070/"]', '(equals("log.eventType", "tcbck") && contains("log.message", "FAIL")) || (contains("log.message", "TCB") && (contains("log.message", "violation") || contains("log.message", "modified"))) || (equals("log.eventType", "FILE_Mode") && exists("log.objName") && startsWith("log.objName", "/etc/security/")) || (equals("action", "FILE_MODIFY") && exists("log.objName") && (startsWith("log.objName", "/usr/bin/") || startsWith("log.objName", "/usr/sbin/") || startsWith("log.objName", "/etc/security/")))', '2026-02-09 16:47:10.802736', true, false, 'origin', null, '[]', '["lastEvent.log.objName","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (403, 'IBM AIX Trusted Execution Violation', 3, 3, 2, 'Defense Evasion', 'T1036 - Masquerading', 'Detects violations of Trusted Execution (TE) policies in IBM AIX, including execution of untrusted binaries, signature verification failures, or attempts to bypass trusted execution controls. These violations may indicate attempts to execute malicious or unauthorized code on the system. + +Next Steps: +1. Immediately verify the integrity of the executed binary and its digital signature +2. Check if the binary is from a trusted source or has been tampered with +3. Review system logs for any concurrent privilege escalation attempts or suspicious activities +4. Examine the user''s recent activities, access patterns, and authentication history +5. Validate the system''s trusted execution configuration and policies are properly enforced +6. Check for any recent changes to the trusted execution database or policies +7. Analyze the source and nature of the untrusted binary or process +8. Consider isolating the affected system if malicious activity is confirmed +9. Review file system integrity and check for signs of compromise +10. Escalate to security team if this appears to be part of a broader attack +', '["https://www.ibm.com/support/pages/trusted-execution-enablement","https://attack.mitre.org/techniques/T1036/"]', '(equals("log.eventType", "trustchk") && !equals("log.returnCode", "0")) || (contains("log.msg", "Trusted Execution") && (contains("log.msg", "fail") || contains("log.msg", "violat"))) || (equals("log.eventType", "PROC_Execute") && contains("log.msg", "untrusted")) || (equals("action", "EXEC") && contains("log.objName", "/tmp/") && equals("origin.user", "root"))', '2026-02-09 16:47:10.933106', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (404, 'IBM AS/400 Audit Journal Disabling Detection', 2, 3, 1, 'Defense Evasion', 'T1562.002 - Impair Defenses: Disable Windows Event Logging', 'Detects attempts to disable or modify IBM AS/400 security auditing via CHGAUD, QAUDCTL, or QAUDLVL system value changes. Attackers disable auditing to cover their tracks. + +Next Steps: +1. Verify the audit configuration change was authorized +2. Re-enable auditing immediately if unauthorized +3. Check QAUDJRN journal for recent entries before the change +4. Review system activity during the audit gap +5. Restrict CHGAUD and system value change authority +6. Implement monitoring for audit control system values +', '["https://www.ibm.com/docs/en/i/7.5?topic=auditing-changing-security","https://attack.mitre.org/techniques/T1562/002/"]', 'exists("log.message") && +( + contains("log.message", "CHGAUD") || + (contains("log.message", "QAUDCTL") && contains("log.message", "*NONE")) || + (contains("log.message", "QAUDLVL") && contains("log.message", "changed")) || + (contains("log.message", "QAUDLVL2") && contains("log.message", "changed")) || + (contains("log.message", "audit") && contains("log.message", "disabled")) || + (contains("log.message", "QAUDJRN") && contains("log.message", "DLTJRN")) || + contains("log.message", "CHGSYSVAL SYSVAL(QAUDCTL) VALUE(''*NONE'')") +) +', '2026-02-09 16:47:11.062849', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (405, 'IBM AS/400 Unauthorized IFS Access Detection', 3, 2, 1, 'Collection', 'T1005 - Data from Local System', 'Detects unauthorized access to the IBM AS/400 Integrated File System (IFS). Monitors for access to sensitive directories, configuration files, and bulk file operations that could indicate data theft. + +Next Steps: +1. Review the IFS paths and files being accessed +2. Verify the user has authorization for the accessed directories +3. Check for bulk file downloads or copies +4. Review NetServer and FTP access logs +5. Restrict IFS directory permissions +6. Implement IFS object auditing for sensitive directories +', '["https://www.ibm.com/docs/en/i/7.5?topic=system-integrated-file","https://attack.mitre.org/techniques/T1005/"]', 'exists("log.message") && +( + (contains("log.message", "IFS") && ( + contains("log.message", "QSYS.LIB") || + contains("log.message", "/QIBM/") || + contains("log.message", "/home/") || + contains("log.message", "/tmp/") + ) && ( + contains("log.message", "access") || + contains("log.message", "read") || + contains("log.message", "copy") || + contains("log.message", "download") + )) || + (contains("log.message", "CPYFRMSTMF") || contains("log.message", "CPYTOSTMF")) || + (contains("log.message", "NetServer") && contains("log.message", "file access")) || + (contains("log.message", "FTP") && contains("log.message", "GET") && contains("log.message", "/QSYS")) +) +', '2026-02-09 16:47:11.207711', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"log.message","operator":"filter_match","value":"IFS OR CPYFRMSTMF OR CPYTOSTMF OR NetServer"}],"or":null,"within":"now-15m","count":10}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (406, 'IBM AS/400 Exit Point Tampering Detection', 3, 3, 2, 'Persistence', 'T1562 - Impair Defenses', 'Detects tampering with IBM AS/400 exit points using ADDEXITPGM to register malicious programs. Exit points intercept system operations and can be used for credential capture, data interception, or persistent backdoor access. + +Next Steps: +1. Review the exit point program being registered +2. Verify the exit point registration was authorized +3. Check the program source code for malicious functionality +4. List all registered exit points with WRKREGINF +5. Remove unauthorized exit point programs +6. Restrict ADDEXITPGM authority to security administrators +', '["https://www.ibm.com/docs/en/i/7.5?topic=programs-exit","https://attack.mitre.org/techniques/T1562/"]', 'exists("log.message") && +( + contains("log.message", "ADDEXITPGM") || + contains("log.message", "RMVEXITPGM") || + contains("log.message", "CHGEXITPGM") || + (contains("log.message", "exit point") && ( + contains("log.message", "registered") || + contains("log.message", "added") || + contains("log.message", "changed") + )) || + (contains("log.message", "WRKREGINF") && contains("log.message", "exit")) +) +', '2026-02-09 16:47:11.347239', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (407, 'IBM AS/400 Job Queue Manipulation Detection', 2, 3, 2, 'Execution', 'T1053 - Scheduled Task/Job', 'Detects suspicious job submissions and job queue manipulations on IBM AS/400 that could indicate unauthorized task execution with elevated authority or persistence mechanisms. + +Next Steps: +1. Review the submitted job details and user profile +2. Verify the job submission was authorized +3. Check if the job runs with elevated authority (USER parameter) +4. Review the job''s program and command list +5. Restrict SBMJOB authority for non-administrative users +6. Monitor job queue activity for unusual patterns +', '["https://www.ibm.com/docs/en/i/7.5?topic=concepts-job-queues","https://attack.mitre.org/techniques/T1053/"]', 'exists("log.message") && +( + (contains("log.message", "SBMJOB") && ( + contains("log.message", "USER(QSECOFR)") || + contains("log.message", "USER(QSYSOPR)") || + contains("log.message", "*ALLOBJ") + )) || + (contains("log.message", "CHGJOBQE") && exists("origin.user")) || + (contains("log.message", "HLDJOBQ") || contains("log.message", "RLSJOBQ")) || + (contains("log.message", "ADDJOBSCDE") && exists("origin.user")) || + (contains("log.message", "job") && contains("log.message", "submitted") && ( + contains("log.message", "QBATCH") || + contains("log.message", "QSYSNOMAX") + )) +) +', '2026-02-09 16:47:11.482092', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (408, 'IBM AS/400 Program Adopt Authority Abuse Detection', 3, 3, 2, 'Privilege Escalation', 'T1548 - Abuse Elevation Control Mechanism', 'Detects programs using adopted authority with *ALLOBJ special authority on IBM AS/400. Attackers create programs that adopt elevated privileges to bypass authorization controls and access sensitive objects. + +Next Steps: +1. Review the program using adopted authority +2. Verify the program owner and adoption profile +3. Check if *ALLOBJ authority is necessary for the program +4. Remove unnecessary adopted authority +5. Implement adopted authority auditing +6. Review all programs adopting elevated authority +', '["https://www.ibm.com/docs/en/i/7.5?topic=programs-adopted-authority","https://attack.mitre.org/techniques/T1548/"]', 'exists("log.message") && +( + (contains("log.message", "ADOPTED") && contains("log.message", "*ALLOBJ")) || + (contains("log.message", "ADOPT") && contains("log.message", "authority")) || + (contains("log.message", "CRTPGM") && contains("log.message", "USRPRF(*OWNER)")) || + (contains("log.message", "CHGPGM") && contains("log.message", "USRPRF(*OWNER)")) || + (contains("log.message", "program adopt") && contains("log.message", "special authority")) || + (contains("log.message", "adopted") && contains("log.message", "QSECOFR")) +) +', '2026-02-09 16:47:11.622623', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (409, 'IBM AS/400 Library List Manipulation Detection', 3, 3, 2, 'Privilege Escalation', 'T1574 - Hijack Execution Flow', 'Detects manipulation of IBM AS/400 library lists using CHGLIBL, ADDLIBLE, or CHGSYSLIBL commands. Attackers modify library lists to inject malicious programs that execute instead of legitimate system commands (library list hijacking). + +Next Steps: +1. Review the library list changes and added libraries +2. Verify the changes were authorized +3. Check the contents of added libraries for malicious programs +4. Compare program names in added libraries against system libraries +5. Remove unauthorized library list entries +6. Restrict CHGLIBL and ADDLIBLE authority +', '["https://www.ibm.com/docs/en/i/7.5?topic=concepts-library-lists","https://attack.mitre.org/techniques/T1574/"]', 'exists("log.message") && +( + contains("log.message", "CHGLIBL") || + contains("log.message", "ADDLIBLE") || + contains("log.message", "CHGSYSLIBL") || + contains("log.message", "RMVLIBLE") || + (contains("log.message", "library list") && ( + contains("log.message", "changed") || + contains("log.message", "modified") || + contains("log.message", "added") + )) || + (contains("log.message", "EDTLIBL") && exists("origin.user")) +) +', '2026-02-09 16:47:11.768030', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-15m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (410, 'IBM AS/400 Remote Command Execution Detection', 3, 3, 2, 'Lateral Movement', 'T1021 - Remote Services', 'Detects remote command execution on IBM AS/400 via RCMD, RMTCMD, DDM, or DRDA protocols. These commands allow attackers to execute operations from remote systems. + +Next Steps: +1. Identify the remote system and user executing commands +2. Verify the remote command execution was authorized +3. Review the commands being executed remotely +4. Check DDM and DRDA connection configurations +5. Restrict remote command execution authority +6. Implement IP allowlisting for remote connections +', '["https://www.ibm.com/docs/en/i/7.5?topic=ssw_ibm_i_75/cl/runrmtcmd.htm","https://attack.mitre.org/techniques/T1021/"]', 'exists("log.message") && +( + contains("log.message", "RUNRMTCMD") || + contains("log.message", "RCMD") || + contains("log.message", "RMTCMD") || + (contains("log.message", "DDM") && contains("log.message", "command")) || + (contains("log.message", "DRDA") && contains("log.message", "remote")) || + (contains("log.message", "REXEC") && exists("origin.ip")) || + (contains("log.message", "SBMRMTCMD") && exists("origin.user")) +) +', '2026-02-09 16:47:11.918185', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"origin.user","operator":"filter_term","value":"{{origin.user}}"}],"or":null,"within":"now-30m","count":3}]', '["adversary.host","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (411, 'IBM AS/400 SQL Injection via ODBC/JDBC Detection', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects SQL injection attempts targeting IBM AS/400 through ODBC/JDBC connections. Monitors for suspicious SQL patterns in database server job logs and diagnostic messages. + +Next Steps: +1. Review the SQL statements for injection patterns +2. Identify the source application and ODBC/JDBC connection +3. Check for successful unauthorized data access +4. Patch the vulnerable application with parameterized queries +5. Restrict ODBC/JDBC connection permissions +6. Block the source IP if confirmed malicious +', '["https://www.ibm.com/docs/en/i/7.5?topic=services-sql-diagnostic","https://attack.mitre.org/techniques/T1190/"]', 'exists("log.message") && +( + (contains("log.message", "SQL") && ( + regexMatch("log.message", "(?i)UNION\\s+(ALL\\s+)?SELECT") || + contains("log.message", "'' OR ''1''=''1") || + contains("log.message", "''; DROP") || + contains("log.message", "QSYS2.") || + contains("log.message", "SYSCOLUMNS") || + contains("log.message", "SYSTABLES") || + regexMatch("log.message", "(?i)CHAR\\s*\\([0-9]+\\)") || + contains("log.message", "information_schema") + )) || + (contains("log.message", "ODBC") && contains("log.message", "SQL error")) || + (contains("log.message", "JDBC") && contains("log.message", "syntax error")) +) +', '2026-02-09 16:47:12.048070', true, false, 'origin', null, '[{"indexPattern":"v11-log-ibm-as400-*","with":[{"field":"log.message","operator":"filter_match","value":"SQL error OR syntax error OR UNION SELECT OR DROP"}],"or":null,"within":"now-15m","count":5}]', '["adversary.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (707, 'Windows: New ActiveSyncAllowedDeviceID Added via PowerShell', 3, 2, 1, 'Persistence', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions', 'Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/002/"]', 'oneOf("log.eventDataProcessName", ["powershell.exe", "pwsh.exe", "powershell_ise.exe"]) && regexMatch("log.message", "(Set-CASMailbox(.+)ActiveSyncAllowedDeviceIDs)")', '2026-02-09 16:57:30.922913', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (413, 'Unsafe Deserialization Attack Detected', 3, 3, 2, 'Initial Access', 'T1190 - Exploit Public-Facing Application', 'Detects attempts to exploit unsafe deserialization vulnerabilities through malicious JSON payloads containing serialized objects or code execution patterns. These attacks can lead to remote code execution, privilege escalation, or data compromise. + +Next Steps: +1. Analyze the JSON payload structure and identify malicious patterns +2. Check application logs for evidence of successful exploitation +3. Review the target application''s deserialization implementation +4. Implement input validation and use safe deserialization practices +5. Monitor for any unusual process execution or system changes +6. Consider blocking the source IP if attack patterns persist +7. Examine target application for signs of compromise +8. Review recent deployments or configuration changes +9. Check for additional indicators of compromise on affected systems +10. Document the attack pattern for threat intelligence purposes +', '["https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_java.html","https://attack.mitre.org/techniques/T1190/"]', '(contains("raw", "java.lang.Runtime") || + contains("raw", "java.lang.ProcessBuilder") || + contains("raw", "$$beanFactory") || + (contains("raw", "org.apache.commons.collections") && contains("raw", "Transformer")) || + (contains("raw", "java.io.ObjectInputStream") && contains("raw", "exec")) || + contains("raw", "com.sun.rowset.JdbcRowSetImpl") || + contains("raw", "ysoserial") || + contains("raw", "java.net.URLClassLoader")) +', '2026-02-09 16:47:12.327720', true, false, 'origin', null, '[{"indexPattern":"v11-log-json-input-*","with":[{"field":"origin.ip","operator":"filter_term","value":"{{origin.ip}}"}],"or":null,"within":"now-10m","count":3}]', '["adversary.ip","target.host"]'); +insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (414, 'JSON Hijacking Attempt Detected', 3, 2, 1, 'Execution', 'JSON Hijacking', 'Detects attempts to hijack JSON data through malicious script tags, Array constructor overrides, or cross-domain data theft patterns. JSON hijacking attacks attempt to steal sensitive data by exploiting vulnerabilities in JSON responses through script tag inclusion or prototype manipulation. + +Next Steps: +1. Review the request details and identify the source of the hijacking attempt +2. Check if the origin IP is from a known malicious source +3. Examine the full request payload for additional malicious indicators +4. Verify if any sensitive data was exposed in the JSON response +5. Implement proper CSRF tokens and validate referer headers +6. Consider blocking the source IP if malicious activity is confirmed +7. Review application code for proper JSON response security measures +', '["https://owasp.org/www-community/attacks/JSON_Hijacking","https://attack.mitre.org/techniques/T1059/007/"]', '(contains("raw", "") || + contains("log.callback", "javascript:") || + contains("log.callback", "alert(") || + contains("log.callback", "eval(") || + contains("log.callback", "Function(") || + contains("log.callback", ".constructor("))) || +(exists("log.url_query") && + contains("log.url_query", "callback=") && + contains("log.url_query", "