elastic · piellick · Mar 29, 2022 · Apr 7, 2022
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -141654,6 +141654,16 @@ type: integer
 
 --
 
+*`sophos.xg.fw_rule_type`*::
++
+--
+Firewall Rule type which is applied on the traffic
+
+
+type: keyword
+
+--
+
 *`sophos.xg.user_name`*::
 +
 --
@@ -141910,6 +141920,16 @@ type: keyword
 ICMP code of ICMP traffic
 
 
+type: keyword
+
+--
+
+*`sophos.xg.victim`*::
++
+--
+Target in which signature is classified
+
+
 type: keyword
 
 --

@@ -74,6 +74,11 @@
       description: >
         Firewall Rule ID which is applied on the traffic
 
+    - name: fw_rule_type
+      type: keyword
+      description: >
+        Firewall Rule type which is applied on the traffic
+
     - name: user_name
       type: keyword
       description: >
@@ -204,6 +209,11 @@
       description: >
         ICMP code of ICMP traffic
 
+    - name: victim
+      type: keyword
+      description: >
+        Target in which signature is classified
+
     - name: sent_pkts
       type: long
       description: >

@@ -428,6 +428,9 @@ processors:
 #############
 ## Cleanup ##
 #############
+- lowercase:
+      field: sophos.xg.fw_rule_type
+      ignore_failure: true
 - lowercase:
       field: network.protocol
       ignore_failure: true
@@ -442,11 +445,25 @@ processors:
     - sophos.xg.dst_port
     - sophos.xg.tran_dst_port
     - sophos.xg.recv_bytes
+    - sophos.xg.bytes_received
     - sophos.xg.recv_pkts
+    - sophos.xg.packets_received
     - sophos.xg.src_port
     - sophos.xg.tran_src_port
     - sophos.xg.sent_bytes
+    - sophos.xg.bytes_sent
     - sophos.xg.sent_pkts
+    - sophos.xg.packets_sent
+    - sophos.xg.src_trans_ip
+    - sophos.xg.src_trans_port
+    - sophos.xg.dst_trans_ip
+    - sophos.xg.dst_trans_port
+    - sophos.xg.src_zone_type
+    - sophos.xg.dst_zone_type
+    - sophos.xg.src_zone
+    - sophos.xg.dst_zone
+    - sophos.xg.con_event
+    - sophos.xg.qualifier
     ignore_missing: true
 on_failure:
 - set:

@@ -161,6 +161,72 @@ processors:
     if: "ctx.event.severity == '7' "
     value: debug
 
+# Fix up naming differences between products.
+- rename:
+    field: sophos.xg.device_name
+    target_field: sophos.xg.device
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.device_name != null && ctx.sophos?.xg?.device_model != null'
+- rename:
+    field: sophos.xg.device_model
+    target_field: sophos.xg.device_name
+    ignore_missing: true
+- rename:
+    field: sophos.xg.device_serial_id
+    target_field: sophos.xg.device_id
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.device_serial_id != null'
+- rename:
+    field: sophos.xg.severity
+    target_field: sophos.xg.priority
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.severity != null'
+- rename:
+    field: sophos.xg.src_country
+    target_field: sophos.xg.src_country_code
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.src_country != null'
+- rename:
+    field: sophos.xg.dst_country
+    target_field: sophos.xg.dst_country_code
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.dst_country != null'
+- rename:
+    field: sophos.xg.hb_status
+    target_field: sophos.xg.hb_health
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.hb_status != null'
+- rename:
+    field: sophos.xg.app_resolved_by
+    target_field: sophos.xg.appresolvedby
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.app_resolved_by != null'
+- rename:
+    field: sophos.xg.app_technology
+    target_field: sophos.xg.application_technology
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.app_technology != null'
+- rename:
+    field: sophos.xg.app_category
+    target_field: sophos.xg.application_category
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.app_category != null'
+- rename:
+    field: sophos.xg.app_name
+    target_field: sophos.xg.application_name
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.app_name != null'
+- rename:
+    field: sophos.xg.app_risk
+    target_field: sophos.xg.application_risk
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.app_risk != null'
+- rename:
+    field: sophos.xg.os_name
+    target_field: sophos.xg.platform
+    ignore_missing: true
+    if: 'ctx.sophos?.xg?.os_name != null'
+
 ##########################
 ## ECS Observer Mapping ##
 ##########################
@@ -249,12 +315,14 @@ processors:
     - sophos.xg.srczone
     - sophos.xg.dstzone
     - sophos.xg.log_occurrence
+    - sophos.xg.log_version
     - sophos.xg.nat_rule_id
     - sophos.xg.in_display_interface
     - sophos.xg.out_display_interface
     - syslog5424_pri
     ignore_missing: true
 
+
 ###############################
 ## Product Speific Pipelines ##
 ###############################

@@ -20,3 +20,13 @@
 <30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0
 <01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.2.3.4 src_country_code=ESP dst_ip=4.3.2.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=2.4.6.8 tran_src_port=0 tran_dst_ip=8.6.4.2 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1
+<30>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="010202601001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="N/A" nat_rule_id="0" fw_rule_type="NETWORK" ether_type="IPv4 (0x0800)" in_interface="Port6" src_mac="2c:33:11:f2:bb:47" src_ip="127.0.0.1" src_country="USA" dst_ip="127.0.0.1" dst_country="CHE" protocol="TCP" src_port=42324 dst_port=443 hb_status="No Heartbeat" message="Invalid packet." app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port6"
+<30>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="59" nat_rule_id="28" fw_rule_type="USER" ips_policy_id=1 ether_type="Unknown (0x0000)" in_interface="Port6" out_interface="LAG10GB.306" src_mac="2C:33:11:F2:BB:47" dst_mac="00:AA:20:15:0E:2A" src_ip="51.103.157.232" src_country="CHE" dst_ip="127.0.0.16" dst_country="CHE" protocol="TCP" src_port=51021 dst_port=443 src_trans_ip="127.0.0.1" dst_trans_ip="127.0.0.1" src_zone_type="WAN" src_zone="WAN" dst_zone_type="LAN" dst_zone="LAN" con_event="Start" con_id="1924732224" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port6" out_display_interface="LAG10GB.306"
+<29>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="LAG10GB.302" src_mac="00:0c:29:a7:37:d4" src_ip="127.0.0.1" src_country="R1" dst_ip="10.100.1.33" dst_country="R1" protocol="ICMP" icmp_type=3 icmp_code=3 src_zone_type="LAN" src_zone="LAN" con_event="Interim" con_id="14687552" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.302"
+<29>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="5" nat_rule_id="0" fw_rule_type="USER" ips_policy_id=13 app_name="SIP Request" app_risk=3 app_technology="Network Protocol" app_category="VoIP" ether_type="IPv4 (0x0800)" in_interface="LAG10GB.20" src_mac="20:67:7c:ee:28:48" src_ip="127.0.0.12" src_country="CHE" dst_ip="185.165.190.34" dst_country="RUS" protocol="ICMP" icmp_type=3 icmp_code=10 src_zone_type="WAN" src_zone="WAN" con_event="Interim" con_id="11841597" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.20"
+<30>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="85" nat_rule_id="125" fw_rule_type="USER" ether_type="Unknown (0x0000)" in_interface="Port6" out_interface="LAG10GB.333" src_mac="2C:33:11:F2:BB:47" dst_mac="00:AA:20:15:0E:2A" src_ip="127.0.0.1" src_country="MCO" dst_ip="127.0.0.18" dst_country="CHE" protocol="TCP" src_port=7781 dst_port=33094 dst_trans_ip="127.0.0.1" dst_trans_port=3389 src_zone_type="WAN" src_zone="WAN" dst_zone_type="LAN" dst_zone="LAN" con_event="Start" con_id="1034987392" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port6" out_display_interface="LAG10GB.333"
+<29>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="5" nat_rule_id="0" fw_rule_type="USER" ips_policy_id=13 ether_type="IPv4 (0x0800)" in_interface="LAG10GB.20" src_mac="e4:3d:1a:90:5e:10" src_ip="127.0.0.1" src_country="CHE" dst_ip="127.0.0.1" dst_country="USA" protocol="ICMP" icmp_type=3 icmp_code=10 src_zone_type="WAN" src_zone="WAN" con_event="Interim" con_id="13303728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.20"
+<30>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="13" nat_rule_id="0" fw_rule_type="USER" app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="LAG10GB.20" out_interface="Port6" src_mac="48:DF:37:B4:8E:AA" dst_mac="00:AA:20:AC:B5:AA" src_ip="127.0.0.1" src_country="CHE" dst_ip=127.0.0.1" dst_country="USA" protocol="UDP" src_port=43988 dst_port=53 packets_sent=1  packets_received=1 bytes_sent=61 bytes_received=233 src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2550962432" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.20" out_display_interface="Port6"
+<29>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="LAG10GB.302" src_mac="00:0c:29:a7:37:d4" src_ip="127.0.0.1" src_country="R1" dst_ip="10.100.1.32" dst_country="R1" protocol="ICMP" icmp_type=3 icmp_code=3 src_zone_type="LAN" src_zone="LAN" con_event="Interim" con_id="3230141495" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.302"
+<29>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="5" nat_rule_id="0" fw_rule_type="USER" ips_policy_id=13 ether_type="IPv4 (0x0800)" in_interface="LAG10GB.20" src_mac="20:67:7c:ee:88:c0" src_ip="127.0.0.1" src_country="AZE" dst_ip="192.241.215.211" dst_country="USA" protocol="ICMP" icmp_type=3 icmp_code=10 src_zone_type="WAN" src_zone="WAN" con_event="Interim" con_id="3227724200" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.20"
+<30>device_name="SFW" timestamp="2022-03-29T11:31:46+0200" device_model="XG310" device_serial_id="C54AAAAAQDJQB7D" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="13" nat_rule_id="0" fw_rule_type="USER" ether_type="Unknown (0x0000)" in_interface="LAG10GB.20" out_interface="Port6" src_mac="20:67:7C:EE:88:B8" dst_mac="00:AA:20:AC:B5:AA" src_ip="127.0.0.1" src_country="CHE" dst_ip="142.250.184.198" dst_country="USA" protocol="UDP" src_port=37704 dst_port=443 src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="927688256" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="LAG10GB.20" out_display_interface="Port6"