diff --git a/packages/sophos/_dev/deploy/docker/docker-compose.yml b/packages/sophos/_dev/deploy/docker/docker-compose.yml index df715ab5c66..2162572ef10 100644 --- a/packages/sophos/_dev/deploy/docker/docker-compose.yml +++ b/packages/sophos/_dev/deploy/docker/docker-compose.yml @@ -7,25 +7,25 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" sophos-utm-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-utm-*.log" sophos-utm-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-utm-*.log" sophos-xg-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-xg*.log" sophos-xg-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index b74db259ffe..44a15d4c8f3 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.3" + changes: + - description: Update pipelines to parse new fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2163 - version: "1.2.2" changes: - description: Add documentation for multi-fields diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json index abcd92a8aef..b6d403c9205 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json @@ -4,9 +4,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570966135Z" - }, "message": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "tags": [ "preserve_original_event" @@ -16,9 +13,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570972928Z" - }, "message": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", "tags": [ "preserve_original_event" @@ -28,9 +22,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570974585Z" - }, "message": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", "tags": [ "preserve_original_event" @@ -40,9 +31,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570976044Z" - }, "message": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", "tags": [ "preserve_original_event" @@ -52,9 +40,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570977317Z" - }, "message": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", "tags": [ "preserve_original_event" @@ -64,9 +49,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570978540Z" - }, "message": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "tags": [ "preserve_original_event" @@ -76,9 +58,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570979753Z" - }, "message": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "tags": [ "preserve_original_event" @@ -88,9 +67,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570980980Z" - }, "message": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", "tags": [ "preserve_original_event" @@ -100,9 +76,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570982181Z" - }, "message": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", "tags": [ "preserve_original_event" @@ -112,9 +85,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570983402Z" - }, "message": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", "tags": [ "preserve_original_event" @@ -124,9 +94,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570984622Z" - }, "message": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", "tags": [ "preserve_original_event" @@ -136,9 +103,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570986105Z" - }, "message": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", "tags": [ "preserve_original_event" @@ -148,9 +112,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570987332Z" - }, "message": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", "tags": [ "preserve_original_event" @@ -160,9 +121,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570988617Z" - }, "message": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "tags": [ "preserve_original_event" @@ -172,9 +130,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570989850Z" - }, "message": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", "tags": [ "preserve_original_event" @@ -184,9 +139,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570991171Z" - }, "message": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", "tags": [ "preserve_original_event" @@ -196,9 +148,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570992504Z" - }, "message": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", "tags": [ "preserve_original_event" @@ -208,9 +157,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570993723Z" - }, "message": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "tags": [ "preserve_original_event" @@ -220,9 +166,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570994918Z" - }, "message": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", "tags": [ "preserve_original_event" @@ -232,9 +175,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570996148Z" - }, "message": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", "tags": [ "preserve_original_event" @@ -244,9 +184,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570997410Z" - }, "message": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "tags": [ "preserve_original_event" @@ -256,9 +193,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570998686Z" - }, "message": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", "tags": [ "preserve_original_event" @@ -268,9 +202,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.570999885Z" - }, "message": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", "tags": [ "preserve_original_event" @@ -280,9 +211,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571001229Z" - }, "message": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", "tags": [ "preserve_original_event" @@ -292,9 +220,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571002420Z" - }, "message": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", "tags": [ "preserve_original_event" @@ -304,9 +229,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571003645Z" - }, "message": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", "tags": [ "preserve_original_event" @@ -316,9 +238,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571004885Z" - }, "message": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", "tags": [ "preserve_original_event" @@ -328,9 +247,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571006091Z" - }, "message": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", "tags": [ "preserve_original_event" @@ -340,9 +256,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571007384Z" - }, "message": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", "tags": [ "preserve_original_event" @@ -352,9 +265,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571008590Z" - }, "message": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", "tags": [ "preserve_original_event" @@ -364,9 +274,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571009867Z" - }, "message": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "tags": [ "preserve_original_event" @@ -376,9 +283,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571011070Z" - }, "message": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "tags": [ "preserve_original_event" @@ -388,9 +292,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571012267Z" - }, "message": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", "tags": [ "preserve_original_event" @@ -400,9 +301,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571013483Z" - }, "message": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", "tags": [ "preserve_original_event" @@ -412,9 +310,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571014826Z" - }, "message": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", "tags": [ "preserve_original_event" @@ -424,9 +319,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571016122Z" - }, "message": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", "tags": [ "preserve_original_event" @@ -436,9 +328,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571017376Z" - }, "message": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", "tags": [ "preserve_original_event" @@ -448,9 +337,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571018607Z" - }, "message": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", "tags": [ "preserve_original_event" @@ -460,9 +346,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571019823Z" - }, "message": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", "tags": [ "preserve_original_event" @@ -472,9 +355,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571021111Z" - }, "message": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", "tags": [ "preserve_original_event" @@ -484,9 +364,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571022334Z" - }, "message": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", "tags": [ "preserve_original_event" @@ -496,9 +373,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571023608Z" - }, "message": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", "tags": [ "preserve_original_event" @@ -508,9 +382,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571024842Z" - }, "message": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", "tags": [ "preserve_original_event" @@ -520,9 +391,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571026060Z" - }, "message": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "tags": [ "preserve_original_event" @@ -532,9 +400,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571027282Z" - }, "message": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "tags": [ "preserve_original_event" @@ -544,9 +409,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571028500Z" - }, "message": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", "tags": [ "preserve_original_event" @@ -556,9 +418,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571029717Z" - }, "message": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "tags": [ "preserve_original_event" @@ -568,9 +427,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571031068Z" - }, "message": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", "tags": [ "preserve_original_event" @@ -580,9 +436,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571032318Z" - }, "message": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", "tags": [ "preserve_original_event" @@ -592,9 +445,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571033555Z" - }, "message": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", "tags": [ "preserve_original_event" @@ -604,9 +454,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571034882Z" - }, "message": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", "tags": [ "preserve_original_event" @@ -616,9 +463,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571036083Z" - }, "message": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "tags": [ "preserve_original_event" @@ -628,9 +472,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571037681Z" - }, "message": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", "tags": [ "preserve_original_event" @@ -640,9 +481,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571038964Z" - }, "message": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", "tags": [ "preserve_original_event" @@ -652,9 +490,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571040184Z" - }, "message": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", "tags": [ "preserve_original_event" @@ -664,9 +499,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571041553Z" - }, "message": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", "tags": [ "preserve_original_event" @@ -676,9 +508,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571042868Z" - }, "message": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", "tags": [ "preserve_original_event" @@ -688,9 +517,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571044095Z" - }, "message": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", "tags": [ "preserve_original_event" @@ -700,9 +526,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571045328Z" - }, "message": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", "tags": [ "preserve_original_event" @@ -712,9 +535,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571046650Z" - }, "message": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", "tags": [ "preserve_original_event" @@ -724,9 +544,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571047832Z" - }, "message": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", "tags": [ "preserve_original_event" @@ -736,9 +553,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571049060Z" - }, "message": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "tags": [ "preserve_original_event" @@ -748,9 +562,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571050316Z" - }, "message": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "tags": [ "preserve_original_event" @@ -760,9 +571,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571053005Z" - }, "message": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", "tags": [ "preserve_original_event" @@ -772,9 +580,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571054246Z" - }, "message": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", "tags": [ "preserve_original_event" @@ -784,9 +589,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571055513Z" - }, "message": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", "tags": [ "preserve_original_event" @@ -796,9 +598,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571056742Z" - }, "message": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "tags": [ "preserve_original_event" @@ -808,9 +607,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571057980Z" - }, "message": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "tags": [ "preserve_original_event" @@ -820,9 +616,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571059234Z" - }, "message": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", "tags": [ "preserve_original_event" @@ -832,9 +625,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571060463Z" - }, "message": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", "tags": [ "preserve_original_event" @@ -844,9 +634,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571061685Z" - }, "message": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", "tags": [ "preserve_original_event" @@ -856,9 +643,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571062910Z" - }, "message": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", "tags": [ "preserve_original_event" @@ -868,9 +652,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571064152Z" - }, "message": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "tags": [ "preserve_original_event" @@ -880,9 +661,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571065382Z" - }, "message": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", "tags": [ "preserve_original_event" @@ -892,9 +670,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571066792Z" - }, "message": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", "tags": [ "preserve_original_event" @@ -904,9 +679,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571068045Z" - }, "message": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "tags": [ "preserve_original_event" @@ -916,9 +688,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571069234Z" - }, "message": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", "tags": [ "preserve_original_event" @@ -928,9 +697,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571070448Z" - }, "message": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", "tags": [ "preserve_original_event" @@ -940,9 +706,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571071879Z" - }, "message": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", "tags": [ "preserve_original_event" @@ -952,9 +715,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571073173Z" - }, "message": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", "tags": [ "preserve_original_event" @@ -964,9 +724,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571074390Z" - }, "message": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", "tags": [ "preserve_original_event" @@ -976,9 +733,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571075620Z" - }, "message": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "tags": [ "preserve_original_event" @@ -988,9 +742,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571076845Z" - }, "message": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", "tags": [ "preserve_original_event" @@ -1000,9 +751,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571078071Z" - }, "message": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", "tags": [ "preserve_original_event" @@ -1012,9 +760,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571079509Z" - }, "message": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", "tags": [ "preserve_original_event" @@ -1024,9 +769,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571081102Z" - }, "message": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "tags": [ "preserve_original_event" @@ -1036,9 +778,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571082321Z" - }, "message": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "tags": [ "preserve_original_event" @@ -1048,9 +787,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571083518Z" - }, "message": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "tags": [ "preserve_original_event" @@ -1060,9 +796,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571084709Z" - }, "message": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", "tags": [ "preserve_original_event" @@ -1072,9 +805,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571085920Z" - }, "message": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", "tags": [ "preserve_original_event" @@ -1084,9 +814,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571087216Z" - }, "message": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", "tags": [ "preserve_original_event" @@ -1096,9 +823,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571088516Z" - }, "message": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "tags": [ "preserve_original_event" @@ -1108,9 +832,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571089753Z" - }, "message": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", "tags": [ "preserve_original_event" @@ -1120,9 +841,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571090975Z" - }, "message": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", "tags": [ "preserve_original_event" @@ -1132,9 +850,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571092209Z" - }, "message": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "tags": [ "preserve_original_event" @@ -1144,9 +859,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571093406Z" - }, "message": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", "tags": [ "preserve_original_event" @@ -1156,9 +868,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571095026Z" - }, "message": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", "tags": [ "preserve_original_event" @@ -1168,9 +877,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571096344Z" - }, "message": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", "tags": [ "preserve_original_event" @@ -1180,9 +886,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571097573Z" - }, "message": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", "tags": [ "preserve_original_event" @@ -1192,9 +895,6 @@ "ecs": { "version": "8.0.0" }, - "event": { - "ingested": "2022-01-25T18:09:17.571098784Z" - }, "message": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml index 283016c3840..a63315d74eb 100644 --- a/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/utm/elasticsearch/ingest_pipeline/default.yml @@ -3,9 +3,6 @@ description: Pipeline for Astaro Security Gateway processors: # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-config.yml b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml similarity index 81% rename from packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-config.yml rename to packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml index 0556659ac27..090511e4081 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-config.yml +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log index 0aa7ac01d7e..a4c717ab9ad 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log @@ -9,8 +9,8 @@ <30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" status_code=403 <30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" @@ -87,5 +87,5 @@ <30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 -<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index e03c8cdf06d..8bf3c14116f 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -4,7 +4,11 @@ "@timestamp": "2020-05-18T14:38:48.000Z", "client": { "bytes": 0, - "port": 0 + "domain": "elasticuser.com", + "port": 0, + "user": { + "email": "firewall@firewallgate.com" + } }, "destination": { "bytes": 0, @@ -22,7 +26,6 @@ "network" ], "code": "041101618035", - "ingested": "2022-01-25T18:09:20.135227957Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -54,7 +57,10 @@ }, "server": { "bytes": 0, - "port": 0 + "port": 0, + "user": { + "email": "Sysadmin@elasticuser.com" + } }, "sophos": { "xg": { @@ -91,8 +97,24 @@ "@timestamp": "2020-05-18T14:38:49.000Z", "client": { "bytes": 0, + "domain": "constant-big.email", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 52742 + "port": 52742, + "user": { + "email": "telekommunikation@constant-big.email" + } }, "destination": { "bytes": 0, @@ -123,7 +145,6 @@ "network" ], "code": "041105613003", - "ingested": "2022-01-25T18:09:20.135231432Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -155,8 +176,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@pelasticuser.com" + } }, "sophos": { "xg": { @@ -208,8 +244,24 @@ "@timestamp": "2020-05-18T14:38:50.000Z", "client": { "bytes": 0, + "domain": "17buddies.net", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 51789 + "port": 51789, + "user": { + "email": "ripxfc@17buddies.net" + } }, "destination": { "bytes": 0, @@ -241,7 +293,6 @@ "network" ], "code": "041107413001", - "ingested": "2022-01-25T18:09:20.135232820Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -274,8 +325,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "hein.mueck@elasticuser.de" + } }, "sophos": { "xg": { @@ -327,8 +393,24 @@ "@timestamp": "2020-05-18T14:38:51.000Z", "client": { "bytes": 0, + "domain": "ELTOBGI.COM", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 55002 + "port": 55002, + "user": { + "email": "SHERIF.TOBGI@ELTOBGI.COM" + } }, "destination": { "bytes": 0, @@ -360,7 +442,6 @@ "network" ], "code": "045908413004", - "ingested": "2022-01-25T18:09:20.135234008Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "outcome": "success", @@ -393,8 +474,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elasticuser.com" + } }, "sophos": { "xg": { @@ -446,8 +542,12 @@ "@timestamp": "2017-01-31T18:34:41.000Z", "client": { "bytes": 0, + "domain": " iview.com", "ip": "10.198.47.71", - "port": 22420 + "port": 22420, + "user": { + "email": "gaurav1@iview.com" + } }, "destination": { "bytes": 0, @@ -467,7 +567,6 @@ "network" ], "code": "041113413005", - "ingested": "2022-01-25T18:09:20.135235177Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -501,7 +600,10 @@ "server": { "bytes": 0, "ip": "10.198.233.61", - "port": 25 + "port": 25, + "user": { + "email": " gaurav2@iview.com" + } }, "sophos": { "xg": { @@ -541,8 +643,12 @@ "@timestamp": "2018-06-06T11:10:11.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 58043 + "port": 58043, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -562,7 +668,6 @@ "network" ], "code": "041114413006", - "ingested": "2022-01-25T18:09:20.135236287Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "outcome": "success", @@ -596,7 +701,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } }, "sophos": { "xg": { @@ -636,8 +744,12 @@ "@timestamp": "2018-06-06T12:50:07.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60134 + "port": 60134, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -657,7 +769,6 @@ "network" ], "code": "041121613009", - "ingested": "2022-01-25T18:09:20.135237408Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "outcome": "success", @@ -691,7 +802,10 @@ "server": { "bytes": 0, "ip": "10.198.17.121", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman. local" + } }, "sophos": { "xg": { @@ -731,8 +845,12 @@ "@timestamp": "2018-06-06T12:51:34.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60298 + "port": 60298, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -751,7 +869,6 @@ "network" ], "code": "041122613010", - "ingested": "2022-01-25T18:09:20.135238559Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -784,7 +901,10 @@ "server": { "bytes": 0, "ip": "10.198.16.204", - "port": 25 + "port": 25, + "user": { + "email": "pankhil1@Postman.local" + } }, "sophos": { "xg": { @@ -842,7 +962,6 @@ "network" ], "code": "041123413012", - "ingested": "2022-01-25T18:09:20.135239698Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -910,8 +1029,12 @@ "@timestamp": "2018-06-06T12:56:53.000Z", "client": { "bytes": 0, + "domain": "postman.local", "ip": "10.198.16.121", - "port": 60608 + "port": 60608, + "user": { + "email": "pankhil1@postman.local" + } }, "destination": { "bytes": 0, @@ -931,7 +1054,6 @@ "network" ], "code": "041102413014", - "ingested": "2022-01-25T18:09:20.135240905Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "outcome": "success", @@ -965,7 +1087,10 @@ "server": { "bytes": 0, "ip": "10.198.17.121", - "port": 25 + "port": 25, + "user": { + "email": "pankhil@postman. local" + } }, "sophos": { "xg": { @@ -1004,8 +1129,12 @@ "@timestamp": "2017-01-31T18:31:11.000Z", "client": { "bytes": 0, + "domain": " iview.com", "ip": "10.198.47.71", - "port": 22333 + "port": 22333, + "user": { + "email": "gaurav1@iview.com" + } }, "destination": { "bytes": 0, @@ -1025,7 +1154,6 @@ "network" ], "code": "041207414001", - "ingested": "2022-01-25T18:09:20.135241998Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1059,7 +1187,10 @@ "server": { "bytes": 0, "ip": "10.198.233.61", - "port": 110 + "port": 110, + "user": { + "email": "gaurav2@iview. com" + } }, "sophos": { "xg": { @@ -1100,6 +1231,18 @@ "@timestamp": "2020-05-18T14:38:33.000Z", "client": { "bytes": 550, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57695 }, @@ -1130,9 +1273,8 @@ "network" ], "code": "030906208001", - "ingested": "2022-01-25T18:09:20.135243272Z", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1174,6 +1316,18 @@ }, "server": { "bytes": 1616, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -1217,13 +1371,25 @@ "original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" } }, { "@timestamp": "2020-05-18T14:38:34.000Z", "client": { "bytes": 541, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57835 }, @@ -1254,9 +1420,8 @@ "network" ], "code": "030906208001", - "ingested": "2022-01-25T18:09:20.135244374Z", "kind": "alert", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36\" status_code=403", "outcome": "success", "severity": 2, "type": [ @@ -1298,6 +1463,18 @@ }, "server": { "bytes": 553, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -1341,15 +1518,30 @@ "original": "http://sophostest.com/eicar/index.html" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/889.160.20.156 Safari/537.36" } }, { "@timestamp": "2020-05-18T14:38:35.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 56336 + "port": 56336, + "user": { + "email": "info@farasamed.com" + } }, "destination": { "bytes": 0, @@ -1381,7 +1573,6 @@ "network" ], "code": "031106210001", - "ingested": "2022-01-25T18:09:20.135245470Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", @@ -1420,8 +1611,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elastic-user.local" + } }, "sophos": { "xg": { @@ -1473,10 +1679,25 @@ "@timestamp": "2020-05-18T14:38:36.000Z", "client": { "bytes": 0, - "ip": "175.16.199.1", - "port": 54693 - }, - "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54693, + "user": { + "email": "spedizioni@divella.it" + } + }, + "destination": { "bytes": 0, "geo": { "city_name": "Changchun", @@ -1506,7 +1727,6 @@ "network" ], "code": "031106210001", - "ingested": "2022-01-25T18:09:20.135246645Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "outcome": "success", @@ -1545,8 +1765,23 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", - "port": 25 + "port": 25, + "user": { + "email": "info@elastic-user.local" + } }, "sophos": { "xg": { @@ -1599,7 +1834,10 @@ "client": { "bytes": 0, "ip": "10.198.16.121", - "port": 56653 + "port": 56653, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -1619,7 +1857,6 @@ "network" ], "code": "036106211001", - "ingested": "2022-01-25T18:09:20.135247790Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1660,7 +1897,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 995 + "port": 995, + "user": { + "email": "pankhil@postman.local" + } }, "sophos": { "xg": { @@ -1701,7 +1941,10 @@ "client": { "bytes": 0, "ip": "10.198.16.121", - "port": 56632 + "port": 56632, + "user": { + "email": "pankhil@postman.local" + } }, "destination": { "bytes": 0, @@ -1721,7 +1964,6 @@ "network" ], "code": "036206212001", - "ingested": "2022-01-25T18:09:20.135249072Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "outcome": "success", @@ -1762,7 +2004,10 @@ "server": { "bytes": 0, "ip": "10.198.234.240", - "port": 993 + "port": 993, + "user": { + "email": "ganga@postman.local" + } }, "sophos": { "xg": { @@ -1820,7 +2065,6 @@ "network" ], "code": "031006209001", - "ingested": "2022-01-25T18:09:20.135250287Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "outcome": "success", @@ -1915,7 +2159,6 @@ "network" ], "code": "031001609002", - "ingested": "2022-01-25T18:09:20.135251475Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "outcome": "success", @@ -1989,7 +2232,10 @@ "@timestamp": "2017-01-31T18:44:31.000Z", "client": { "ip": "10.198.47.71", - "port": 22623 + "port": 22623, + "user": { + "name": "jsmith" + } }, "destination": { "geo": { @@ -2018,7 +2264,6 @@ ], "code": "086304418010", "id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", - "ingested": "2022-01-25T18:09:20.135255300Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", @@ -2056,6 +2301,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2089,6 +2346,18 @@ { "@timestamp": "2020-05-18T14:38:34.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57579 }, @@ -2119,7 +2388,6 @@ ], "code": "086504418010", "id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", - "ingested": "2022-01-25T18:09:20.135256561Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", @@ -2153,6 +2421,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2195,6 +2475,18 @@ { "@timestamp": "2020-05-18T14:38:35.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 57540 }, @@ -2225,7 +2517,6 @@ ], "code": "086504418010", "id": "34AC8531-E7C0-4368-9978-5740952EE9AB", - "ingested": "2022-01-25T18:09:20.135257645Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "outcome": "success", @@ -2259,6 +2550,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2331,7 +2634,6 @@ ], "code": "086320518009", "id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", - "ingested": "2022-01-25T18:09:20.135258798Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "outcome": "success", @@ -2366,6 +2668,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 0 }, @@ -2396,10 +2710,18 @@ { "@timestamp": "2017-01-31T14:03:33.000Z", "client": { + "bytes": 0, "ip": "10.198.47.71", - "port": 9444 + "port": 9444, + "user": { + "group": { + "name": "Open Group" + }, + "name": "jsmith" + } }, "destination": { + "bytes": 319007, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2424,7 +2746,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135260064Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "outcome": "success", @@ -2462,6 +2783,19 @@ ] }, "server": { + "bytes": 319007, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2481,6 +2815,7 @@ } }, "source": { + "bytes": 0, "ip": "10.198.47.71", "port": 9444, "user": { @@ -2495,16 +2830,33 @@ ], "url": { "domain": "r8---sn-ci5gup-qxas.googlevideo.com", - "full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + "full": "https://r8---sn-ci5gup-qxas.googlevideo.com/", + "original": "https://r8---sn-ci5gup-qxas.googlevideo.com/", + "path": "/", + "scheme": "https" } }, { "@timestamp": "2017-02-01T18:20:21.000Z", "client": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 46719 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2530,7 +2882,6 @@ "network" ], "code": "050902616002", - "ingested": "2022-01-25T18:09:20.135261252Z", "kind": "alert", "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "outcome": "success", @@ -2565,6 +2916,19 @@ ] }, "server": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -2584,6 +2948,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2604,16 +2969,33 @@ ], "url": { "domain": "hanuman.com", - "full": "http://hanuman.com/" + "full": "http://hanuman.com/", + "original": "http://hanuman.com/", + "path": "/", + "scheme": "http" } }, { "@timestamp": "2017-02-01T18:13:29.000Z", "client": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 49128 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2639,7 +3021,6 @@ "network" ], "code": "054402617051", - "ingested": "2022-01-25T18:09:20.135262360Z", "kind": "alert", "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "outcome": "success", @@ -2674,6 +3055,19 @@ ] }, "server": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 5228 }, @@ -2699,6 +3093,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2721,10 +3116,24 @@ { "@timestamp": "2020-05-18T14:38:51.000Z", "client": { + "bytes": 259, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 62851 }, "destination": { + "bytes": 168, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2749,7 +3158,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135263550Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -2788,6 +3196,19 @@ ] }, "server": { + "bytes": 168, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2810,6 +3231,7 @@ } }, "source": { + "bytes": 259, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2830,16 +3252,33 @@ ], "url": { "domain": "his-eur1-neur1.servicebus.windows.net", - "full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + "full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", + "original": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", + "path": "/$servicebus/websocket", + "scheme": "https" } }, { "@timestamp": "2020-05-18T14:38:52.000Z", "client": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 60471 }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2865,7 +3304,6 @@ "network" ], "code": "050902616002", - "ingested": "2022-01-25T18:09:20.135310046Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -2905,6 +3343,19 @@ ] }, "server": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 443 }, @@ -2927,6 +3378,7 @@ } }, "source": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2947,16 +3399,33 @@ ], "url": { "domain": "175.16.199.1", - "full": "https://175.16.199.1/" + "full": "https://175.16.199.1/", + "original": "https://175.16.199.1/", + "path": "/", + "scheme": "https" } }, { "@timestamp": "2020-05-18T14:38:53.000Z", "client": { + "bytes": 980, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 65391 }, "destination": { + "bytes": 295, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -2981,7 +3450,6 @@ "network" ], "code": "050901616001", - "ingested": "2022-01-25T18:09:20.135312580Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "outcome": "success", @@ -3020,6 +3488,19 @@ ] }, "server": { + "bytes": 295, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3043,6 +3524,7 @@ } }, "source": { + "bytes": 980, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3063,10 +3545,21 @@ ], "url": { "domain": "update.eset.com", - "full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" + "extension": "signed", + "full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "original": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "path": "/eset_upd/ep7/dll/update.ver.signed", + "scheme": "http" }, "user_agent": { - "original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + "device": { + "name": "Other" + }, + "name": "Other", + "original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; ", + "os": { + "name": "Windows" + } } }, { @@ -3083,7 +3576,6 @@ "network" ], "code": "058420116010", - "ingested": "2022-01-25T18:09:20.135330482Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "outcome": "success", @@ -3140,10 +3632,18 @@ { "@timestamp": "2016-12-02T18:50:20.000Z", "client": { + "bytes": 0, "ip": "192.168.73.220", - "port": 37832 + "port": 37832, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } }, "destination": { + "bytes": 0, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3168,7 +3668,6 @@ "network" ], "code": "050927616005", - "ingested": "2022-01-25T18:09:20.135331895Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "outcome": "success", @@ -3206,6 +3705,19 @@ ] }, "server": { + "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3226,6 +3738,7 @@ } }, "source": { + "bytes": 0, "ip": "192.168.73.220", "port": 37832, "user": { @@ -3240,16 +3753,27 @@ ], "url": { "domain": "www.google.com", - "full": "http://www.google.com/" + "full": "http://www.google.com/", + "original": "http://www.google.com/", + "path": "/", + "scheme": "http" } }, { "@timestamp": "2016-12-02T18:50:22.000Z", "client": { + "bytes": 0, "ip": "192.168.73.220", - "port": 46322 + "port": 46322, + "user": { + "group": { + "name": "Clientless Open Group" + }, + "name": "rich" + } }, "destination": { + "bytes": 619, "geo": { "city_name": "Changchun", "continent_name": "Asia", @@ -3274,7 +3798,6 @@ "network" ], "code": "050901616006", - "ingested": "2022-01-25T18:09:20.135333219Z", "kind": "event", "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "outcome": "success", @@ -3312,6 +3835,19 @@ ] }, "server": { + "bytes": 619, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -3334,6 +3870,7 @@ } }, "source": { + "bytes": 0, "ip": "192.168.73.220", "port": 46322, "user": { @@ -3348,13 +3885,35 @@ ], "url": { "domain": "www.google.ca", - "full": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw" + "full": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "original": "http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "path": "/", + "query": "gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw", + "scheme": "http" } }, { "@timestamp": "2020-05-18T14:38:57.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "group": { + "name": "Open Group" + }, + "name": "elastic.user@elastic.test.com" + } }, "ecs": { "version": "8.0.0" @@ -3364,7 +3923,6 @@ "authentication" ], "code": "062910617701", - "ingested": "2022-01-25T18:09:20.135334330Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "outcome": "success", @@ -3443,7 +4001,22 @@ { "@timestamp": "2020-05-18T14:38:58.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } }, "destination": { "geo": { @@ -3465,7 +4038,6 @@ }, "event": { "code": "062511418055", - "ingested": "2022-01-25T18:09:20.135335499Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "severity": 4 @@ -3496,6 +4068,18 @@ ] }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -3543,7 +4127,6 @@ }, "event": { "code": "062511318057", - "ingested": "2022-01-25T18:09:20.135336907Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "severity": 3 @@ -3579,15 +4162,30 @@ "status": "Expire" } }, - "tags": [ - "preserve_original_event" - ] - }, - { - "@timestamp": "2020-05-18T14:39:00.000Z", - "client": { - "ip": "175.16.199.1" - }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000Z", + "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } + }, "ecs": { "version": "8.0.0" }, @@ -3596,7 +4194,6 @@ "authentication" ], "code": "063210617704", - "ingested": "2022-01-25T18:09:20.135338020Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "outcome": "success", @@ -3679,7 +4276,6 @@ "malware" ], "code": "064011517819", - "ingested": "2022-01-25T18:09:20.135339130Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "severity": 5, @@ -3730,7 +4326,6 @@ }, "event": { "code": "063411660022", - "ingested": "2022-01-25T18:09:20.135340265Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "severity": 6 @@ -3774,7 +4369,22 @@ { "@timestamp": "2020-05-18T14:39:03.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "elastic.user@elastic.test.com" + } }, "ecs": { "version": "8.0.0" @@ -3784,7 +4394,6 @@ "authentication" ], "code": "063110617710", - "ingested": "2022-01-25T18:09:20.135341408Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "outcome": "success", @@ -3859,7 +4468,10 @@ { "@timestamp": "2020-05-18T14:39:04.000Z", "client": { - "bytes": 0 + "bytes": 0, + "user": { + "name": "elastic.user@elastic.test.com" + } }, "destination": { "bytes": 0 @@ -3869,7 +4481,6 @@ }, "event": { "code": "062811617824", - "ingested": "2022-01-25T18:09:20.135342555Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "severity": 6 @@ -3911,8 +4522,7 @@ "priority": "Information", "remote_ip": "10.82.234.12", "starttime": "0", - "status": "Established", - "timestamp": "1589960866" + "status": "Established" } }, "source": { @@ -3928,7 +4538,22 @@ { "@timestamp": "2020-05-18T14:39:05.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "hendrikl" + } }, "ecs": { "version": "8.0.0" @@ -3938,7 +4563,6 @@ "authentication" ], "code": "063010517708", - "ingested": "2022-01-25T18:09:20.135343685Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "outcome": "failure", @@ -4014,7 +4638,6 @@ }, "event": { "code": "066911518017", - "ingested": "2022-01-25T18:09:20.135344773Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "severity": 5 @@ -4058,14 +4681,16 @@ { "@timestamp": "2020-05-18T14:39:07.000Z", "client": { - "ip": "10.83.234.5" + "ip": "10.83.234.5", + "user": { + "name": "admin" + } }, "ecs": { "version": "8.0.0" }, "event": { "code": "062009617502", - "ingested": "2022-01-25T18:09:20.135345885Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "severity": 6 @@ -4120,14 +4745,28 @@ { "@timestamp": "2020-05-18T14:39:08.000Z", "client": { - "ip": "175.16.199.1" + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "name": "root" + } }, "ecs": { "version": "8.0.0" }, "event": { "code": "062109517507", - "ingested": "2022-01-25T18:09:20.135347028Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "outcome": "failure", @@ -4198,7 +4837,6 @@ }, "event": { "code": "063911517818", - "ingested": "2022-01-25T18:09:20.135348182Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "severity": 5 @@ -4246,7 +4884,6 @@ }, "event": { "code": "063311617923", - "ingested": "2022-01-25T18:09:20.135349285Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "severity": 6 @@ -4289,7 +4926,13 @@ "@timestamp": "2020-05-18T14:39:20.000Z", "client": { "bytes": 0, - "ip": "10.84.234.38" + "ip": "10.84.234.38", + "user": { + "group": { + "name": "VPN.SSL.Users.elastic" + }, + "name": "elastic.user@elastic.test.com" + } }, "destination": { "bytes": 0 @@ -4303,7 +4946,6 @@ "authentication" ], "code": "062910617703", - "ingested": "2022-01-25T18:09:20.135352670Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "outcome": "success", @@ -4352,8 +4994,7 @@ "message_id": "17703", "priority": "Information", "start_time": "1591086575", - "status": "Successful", - "timestamp": "1591086576" + "status": "Successful" } }, "source": { @@ -4388,7 +5029,6 @@ "code": "066811618014", "duration": 164000000000000, "end": "2017-03-18T10:29:21.000Z", - "ingested": "2022-01-25T18:09:20.135353958Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "severity": 6, @@ -4452,7 +5092,6 @@ "code": "066811618015", "duration": 0, "end": "2017-03-16T12:53:27.000Z", - "ingested": "2022-01-25T18:09:20.135355121Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "severity": 6, @@ -4516,7 +5155,6 @@ "code": "066811618016", "duration": 0, "end": "2017-03-16T12:46:26.000Z", - "ingested": "2022-01-25T18:09:20.135356337Z", "kind": "event", "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "severity": 6, @@ -4572,7 +5210,6 @@ }, "event": { "code": "063711517815", - "ingested": "2022-01-25T18:09:20.135357620Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "severity": 5 @@ -4617,9 +5254,22 @@ "@timestamp": "2020-05-18T14:38:37.000Z", "client": { "bytes": 459, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { + "ip": "175.16.199.1", "port": 0 }, "packets": 6, @@ -4657,7 +5307,6 @@ "code": "010101600001", "duration": 11000000000, "end": "2020-05-18T14:38:48.000Z", - "ingested": "2022-01-25T18:09:20.135358729Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -4714,6 +5363,18 @@ }, "server": { "bytes": 606, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -4734,6 +5395,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "SVK", + "dst_zone_type": "WAN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "0", @@ -4743,6 +5405,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "LAN", "status": "Allow" } }, @@ -4777,9 +5440,22 @@ "@timestamp": "2020-05-18T14:38:38.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { + "ip": "175.16.199.1", "port": 0 }, "packets": 0, @@ -4817,7 +5493,6 @@ "code": "010101600001", "duration": 0, "end": "2020-05-18T14:38:38.000Z", - "ingested": "2022-01-25T18:09:20.135359849Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -4874,6 +5549,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -4894,6 +5581,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "SVK", + "dst_zone_type": "WAN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "15", @@ -4903,6 +5591,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "DMZ", "status": "Allow" } }, @@ -4937,6 +5626,18 @@ "@timestamp": "2020-05-18T14:38:39.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "24:01:c7:07:2b:a2", "nat": { @@ -4977,7 +5678,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:39.000Z", - "ingested": "2022-01-25T18:09:20.135361010Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5029,6 +5729,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -5090,7 +5802,13 @@ "port": 0 }, "packets": 0, - "port": 60102 + "port": 60102, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5112,7 +5830,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:40.000Z", - "ingested": "2022-01-25T18:09:20.135362180Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5217,6 +5934,18 @@ "@timestamp": "2020-05-18T14:38:41.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "c4:f7:d5:b5:47:f4", "nat": { @@ -5257,7 +5986,6 @@ "code": "010302602002", "duration": 0, "end": "2020-05-18T14:38:41.000Z", - "ingested": "2022-01-25T18:09:20.135363324Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5304,6 +6032,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -5360,13 +6100,31 @@ "@timestamp": "2020-05-18T14:38:42.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "24:01:c7:07:2b:a2", "nat": { "port": 0 }, "packets": 0, - "port": 51826 + "port": 51826, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5388,7 +6146,6 @@ "code": "010102600002", "duration": 0, "end": "2020-05-18T14:38:42.000Z", - "ingested": "2022-01-25T18:09:20.135364500Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5506,6 +6263,18 @@ "@timestamp": "2020-05-18T14:38:43.000Z", "client": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "34:db:fd:83:d8:09", "nat": { @@ -5535,7 +6304,6 @@ "code": "010402403001", "duration": 0, "end": "2020-05-18T14:38:43.000Z", - "ingested": "2022-01-25T18:09:20.135365602Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5666,7 +6434,6 @@ "code": "012802605201", "duration": 0, "end": "2020-05-18T14:38:44.000Z", - "ingested": "2022-01-25T18:09:20.135366715Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5763,7 +6530,13 @@ "port": 0 }, "packets": 0, - "port": 58543 + "port": 58543, + "user": { + "group": { + "name": "elastic.group.local" + }, + "name": "elastic@user.local" + } }, "destination": { "bytes": 0, @@ -5797,7 +6570,6 @@ "code": "010101600001", "duration": 0, "end": "2020-05-18T14:38:45.000Z", - "ingested": "2022-01-25T18:09:20.135367828Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5857,6 +6629,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -5875,6 +6659,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "R1", + "dst_zone_type": "VPN", "hb_health": "No Heartbeat", "iap": "0", "ips_policy_id": "11", @@ -5884,6 +6669,7 @@ "message_id": "00001", "priority": "Information", "src_country_code": "R1", + "src_zone_type": "VPN", "status": "Allow" } }, @@ -5949,7 +6735,6 @@ "code": "018201500005", "duration": 0, "end": "2020-05-18T14:38:45.000Z", - "ingested": "2022-01-25T18:09:20.135368977Z", "kind": "event", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -5998,6 +6783,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6044,6 +6841,18 @@ "@timestamp": "2020-06-05T12:38:53.000Z", "client": { "bytes": 1802, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "nat": { @@ -6081,7 +6890,6 @@ "code": "010101600001", "duration": 10000000000, "end": "2020-06-05T12:39:03.000Z", - "ingested": "2022-01-25T18:09:20.135370140Z", "kind": "event", "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "outcome": "success", @@ -6101,6 +6909,7 @@ }, "network": { "bytes": 3534, + "direction": "internal", "packets": 12, "transport": "tcp" }, @@ -6114,7 +6923,8 @@ "ingress": { "interface": { "name": "ipsec0" - } + }, + "zone": "VPN" }, "product": "XG", "serial_number": "1234567890123457", @@ -6135,6 +6945,18 @@ }, "server": { "bytes": 1732, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "packets": 6, "port": 88 @@ -6150,6 +6972,7 @@ "device": "SFW", "device_name": "XG230", "dst_country_code": "R1", + "dst_zone_type": "LAN", "hb_health": "NoHeartbeat", "iap": "0", "ips_policy_id": "17", @@ -6231,7 +7054,6 @@ "code": "010202601001", "duration": 0, "end": "2018-05-30T13:26:37.000Z", - "ingested": "2022-01-25T18:09:20.135371251Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6274,6 +7096,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6344,7 +7178,6 @@ "code": "011402601301", "duration": 0, "end": "2018-06-04T17:20:24.000Z", - "ingested": "2022-01-25T18:09:20.135372416Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6456,7 +7289,6 @@ "code": "010302602002", "duration": 0, "end": "2018-05-30T14:01:32.000Z", - "ingested": "2022-01-25T18:09:20.135373544Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6576,7 +7408,6 @@ "code": "010402403001", "duration": 0, "end": "2018-05-30T14:17:17.000Z", - "ingested": "2022-01-25T18:09:20.135374751Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6692,7 +7523,6 @@ "code": "010502604001", "duration": 0, "end": "2018-06-05T14:30:31.000Z", - "ingested": "2022-01-25T18:09:20.135375907Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "outcome": "success", @@ -6817,7 +7647,6 @@ "code": "010602605001", "duration": 0, "end": "2018-05-31T17:05:14.000Z", - "ingested": "2022-01-25T18:09:20.135377004Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -6860,6 +7689,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -6930,7 +7771,6 @@ "code": "011702605051", "duration": 0, "end": "2018-05-30T15:09:51.000Z", - "ingested": "2022-01-25T18:09:20.135378106Z", "kind": "event", "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "outcome": "success", @@ -7047,7 +7887,6 @@ "code": "016602600006", "duration": 0, "end": "2018-06-01T10:57:55.000Z", - "ingested": "2022-01-25T18:09:20.135379242Z", "kind": "event", "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -7178,7 +8017,6 @@ "code": "016602600003", "duration": 0, "end": "2018-06-01T10:55:41.000Z", - "ingested": "2022-01-25T18:09:20.135380384Z", "kind": "alert", "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", @@ -7226,6 +8064,18 @@ }, "server": { "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "nat": { "port": 0 @@ -7269,6 +8119,18 @@ { "@timestamp": "2020-05-18T14:38:54.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 41528 }, @@ -7298,7 +8160,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135381589Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", @@ -7337,6 +8198,18 @@ "name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -7382,6 +8255,18 @@ { "@timestamp": "2020-05-18T14:38:55.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 58914 }, @@ -7411,7 +8296,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135382782Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "outcome": "success", @@ -7450,6 +8334,18 @@ "name": "PROTOCOL-DNS named version attempt" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 53 }, @@ -7495,6 +8391,18 @@ { "@timestamp": "2020-05-18T14:38:56.000Z", "client": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 59476 }, @@ -7524,7 +8432,6 @@ "network" ], "code": "020804407002", - "ingested": "2022-01-25T18:09:20.135383940Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "outcome": "success", @@ -7563,6 +8470,18 @@ "name": "SERVER-WEBAPP DrayTek multiple products command injection attempt" }, "server": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "port": 80 }, @@ -7625,7 +8544,6 @@ "network" ], "code": "020703406001", - "ingested": "2022-01-25T18:09:20.135385203Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", @@ -7715,7 +8633,6 @@ "network" ], "code": "020704406002", - "ingested": "2022-01-25T18:09:20.135386347Z", "kind": "alert", "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "outcome": "success", @@ -7796,7 +8713,6 @@ "network" ], "code": "138301618041", - "ingested": "2022-01-25T18:09:20.135387476Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7846,7 +8762,10 @@ { "@timestamp": "2017-01-31T14:52:11.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith@iview.com" + } }, "ecs": { "version": "8.0.0" @@ -7858,7 +8777,6 @@ "network" ], "code": "138302218042", - "ingested": "2022-01-25T18:09:20.135388569Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7936,7 +8854,6 @@ "network" ], "code": "136501618041", - "ingested": "2022-01-25T18:09:20.135389689Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "outcome": "success", @@ -7986,7 +8903,10 @@ { "@timestamp": "2017-01-31T15:28:25.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith" + } }, "ecs": { "version": "8.0.0" @@ -7997,7 +8917,6 @@ "network" ], "code": "136528618043", - "ingested": "2022-01-25T18:09:20.135390788Z", "kind": "event", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "outcome": "success", @@ -8067,7 +8986,10 @@ { "@timestamp": "2017-01-31T15:28:25.000Z", "client": { - "ip": "10.198.47.112" + "ip": "10.198.47.112", + "user": { + "name": "jsmith" + } }, "ecs": { "version": "8.0.0" @@ -8079,7 +9001,6 @@ "network" ], "code": "136502218042", - "ingested": "2022-01-25T18:09:20.135392013Z", "kind": "alert", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "outcome": "success", @@ -8161,7 +9082,6 @@ "network" ], "code": "136502218042", - "ingested": "2022-01-25T18:09:20.135393808Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "outcome": "success", @@ -8226,6 +9146,18 @@ "@timestamp": "2020-05-18T14:38:46.000Z", "client": { "bytes": 1419, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8254,7 +9186,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135395008Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "severity": 6, @@ -8290,7 +9221,19 @@ ] }, "server": { - "bytes": 5669, + "bytes": 401, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8339,6 +9282,18 @@ "@timestamp": "2020-05-18T14:38:47.000Z", "client": { "bytes": 1774, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8367,7 +9322,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135396148Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "severity": 6, @@ -8403,7 +9357,19 @@ ] }, "server": { - "bytes": 1357, + "bytes": 200, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8453,7 +9419,10 @@ "@timestamp": "2020-05-19T17:20:29.000Z", "client": { "bytes": 510, - "ip": "10.198.235.254" + "ip": "10.198.235.254", + "user": { + "name": "jsmith" + } }, "destination": { "bytes": 403, @@ -8469,7 +9438,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135397387Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "outcome": "success", @@ -8510,7 +9478,7 @@ ] }, "server": { - "bytes": 726, + "bytes": 403, "ip": "10.198.233.48" }, "sophos": { @@ -8551,7 +9519,10 @@ "@timestamp": "2020-05-19T18:03:30.000Z", "client": { "bytes": 715, - "ip": "10.198.235.254" + "ip": "10.198.235.254", + "user": { + "name": "jsmith" + } }, "destination": { "bytes": 403, @@ -8567,7 +9538,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135398505Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "outcome": "success", @@ -8609,7 +9579,7 @@ ] }, "server": { - "bytes": 739, + "bytes": 403, "ip": "10.198.233.48" }, "sophos": { @@ -8652,6 +9622,18 @@ "@timestamp": "2020-05-20T18:03:31.000Z", "client": { "bytes": 295, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "destination": { @@ -8680,7 +9662,6 @@ "network" ], "code": "075000617071", - "ingested": "2022-01-25T18:09:20.135399612Z", "kind": "alert", "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "outcome": "success", @@ -8717,7 +9698,19 @@ ] }, "server": { - "bytes": 5353, + "bytes": 403, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1" }, "sophos": { @@ -8768,7 +9761,6 @@ }, "event": { "code": "106025618011", - "ingested": "2022-01-25T18:09:20.135400694Z", "kind": "event", "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "outcome": "success", @@ -8816,7 +9808,6 @@ }, "event": { "code": "106025618011", - "ingested": "2022-01-25T18:09:20.135402087Z", "kind": "event", "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "outcome": "success", @@ -8860,10 +9851,29 @@ { "@timestamp": "2021-02-11T13:12:45.000Z", "client": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "bytes": 0, - "ip": "1.128.3.4", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", "mac": "11:22:33:44:55:66", "nat": { + "ip": "216.160.83.57", "port": 0 }, "packets": 0, @@ -8906,9 +9916,8 @@ "code": "010101600001", "duration": 0, "end": "2021-02-11T13:12:45.000Z", - "ingested": "2022-01-25T18:09:20.135403179Z", "kind": "event", - "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=89.160.20.156 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "outcome": "success", "severity": 6, "start": "2021-02-11T13:12:45.000Z", @@ -8926,7 +9935,6 @@ }, "network": { "bytes": 0, - "direction": "inbound", "packets": 0, "transport": "tcp" }, @@ -8935,7 +9943,7 @@ "interface": { "name": "Port5.200" }, - "zone": "DMZ" + "zone": "Zone 9" }, "ingress": { "interface": { @@ -8953,7 +9961,7 @@ "defaulttest.local" ], "ip": [ - "1.128.3.4", + "89.160.20.156", "175.16.199.1", "216.160.83.57", "216.160.83.61" @@ -8964,10 +9972,26 @@ "ruleset": "1" }, "server": { + "as": { + "number": 209 + }, "bytes": 0, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, "ip": "175.16.199.1", "mac": "66:55:44:33:22:11", "nat": { + "ip": "216.160.83.61", "port": 0 }, "packets": 0, @@ -8984,6 +10008,7 @@ "device": "SFW", "device_name": "XG210", "dst_country_code": "GB", + "dst_zone_type": "DMZ", "ether_type": "Unknown (0x0000)", "hb_health": "No Heartbeat", "iap": "0", @@ -8994,30 +10019,31 @@ "message_id": "00001", "priority": "Information", "src_country_code": "ESP", + "src_zone_type": "WAN", "status": "Allow" } }, "source": { "as": { - "number": 1221, + "number": 29518, "organization": { - "name": "Telstra Pty Ltd" + "name": "Bredband2 AB" } }, "bytes": 0, "geo": { - "city_name": "Milton", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 47.2513, - "lon": -122.3149 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "US-WA", - "region_name": "Washington" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "1.128.3.4", + "ip": "89.160.20.156", "mac": "11:22:33:44:55:66", "nat": { "ip": "216.160.83.57", @@ -9037,6 +10063,7 @@ "ip": "10.146.13.30", "mac": "00:50:56:99:51:94", "nat": { + "ip": "10.8.13.110", "port": 0 }, "packets": 0, @@ -9063,7 +10090,6 @@ "code": "010101600001", "duration": 0, "end": "2020-06-05T03:45:23.000Z", - "ingested": "2022-01-25T18:09:20.135404310Z", "kind": "event", "original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", "outcome": "success", @@ -9139,6 +10165,7 @@ "connid": "2674291981", "device": "SFW", "device_name": "SF01V", + "dst_zone_type": "WAN", "ether_type": "Unknown (0x0000)", "hb_health": "No Heartbeat\"message=", "iap": "13", @@ -9148,6 +10175,7 @@ "log_type": "Firewall", "message_id": "00001", "priority": "Information", + "src_zone_type": "LAN", "status": "Allow" } }, diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log new file mode 100644 index 00000000000..d408bbe958f --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log @@ -0,0 +1,50 @@ +Nov 16 00:28:48 sophos device_name="SFW" timestamp="2021-11-15T18:28:48-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="UDP" src_port=44740 dst_port=22083 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" +Nov 16 00:28:51 sophos device_name="SFW" timestamp="2021-11-15T18:28:51-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain="hls14.asiancdn.net" http_status="0" con_id=173026752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:28:57 sophos device_name="SFW" timestamp="2021-11-15T18:28:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain="hls14.asiancdn.net" http_status="0" con_id=2694936768 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:03 sophos device_name="SFW" timestamp="2021-11-15T18:29:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain="hls14.asiancdn.net" http_status="0" con_id=2564230592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:06 sophos device_name="SFW" timestamp="2021-11-15T18:29:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2617088192 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:07 sophos device_name="SFW" timestamp="2021-11-15T18:29:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://array611.prod.do.dsp.mp.microsoft.com" src_ip="192.168.2.110" dst_ip="89.160.20.156" protocol="TCP" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain="array611.prod.do.dsp.mp.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2916030976 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="IRL" +Nov 16 00:29:11 sophos device_name="SFW" timestamp="2021-11-15T18:29:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain="hls14.asiancdn.net" http_status="0" con_id=2564227072 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:16 sophos device_name="SFW" timestamp="2021-11-15T18:29:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain="89.160.20.156" http_user_agent="TvHttpClient" http_status="200" con_id=3159010752 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:20 sophos device_name="SFW" timestamp="2021-11-15T18:29:20-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://mtalk.google.com" src_ip="192.168.2.162" dst_ip="89.160.20.156" protocol="TCP" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain="mtalk.google.com" http_status="0" con_id=172826048 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:21 sophos device_name="SFW" timestamp="2021-11-15T18:29:21-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156/tivo-service/mercury.cgi" content_type="text/plain" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain="89.160.20.156" http_status="200" con_id=175812032 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156/tivo-service/mlog.cgi?gzip" content_type="text/plain" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain="89.160.20.156" http_status="200" con_id=175808832 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:22 sophos device_name="SFW" timestamp="2021-11-15T18:29:22-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain="hls14.asiancdn.net" http_status="0" con_id=2719000448 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:23 sophos device_name="SFW" timestamp="2021-11-15T18:29:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://alive.github.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain="alive.github.com" http_status="0" con_id=2721561088 app_name="GitHub" app_is_cloud="TRUE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=1 app_category="Storage and Backup" +Nov 16 00:29:26 sophos device_name="SFW" timestamp="2021-11-15T18:29:26-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain="192.168.2.90" http_status="0" con_id=175809792 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Information Technology" http_category_type="Acceptable" url="https://tpcf.feedify.net" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain="tpcf.feedify.net" http_status="0" con_id=2685143552 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:28 sophos device_name="SFW" timestamp="2021-11-15T18:29:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain="hls14.asiancdn.net" http_status="0" con_id=173140160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:32 sophos device_name="SFW" timestamp="2021-11-15T18:29:32-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="https://logsink.devices.nest.com" src_ip="192.168.2.109" dst_ip="89.160.20.156" protocol="TCP" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain="logsink.devices.nest.com" http_status="0" con_id=3159009472 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:33 sophos device_name="SFW" timestamp="2021-11-15T18:29:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" app_filter_policy_id=6 app_name="Torrent Clients P2P" app_risk=5 app_technology="P2P" app_category="P2P" src_ip="192.168.2.32" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=44740 dst_port=4000 app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" +Nov 16 00:29:36 sophos device_name="SFW" timestamp="2021-11-15T18:29:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3729897664 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:29:39 sophos device_name="SFW" timestamp="2021-11-15T18:29:39-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://api.smartthings.com" src_ip="192.168.2.102" dst_ip="89.160.20.156" protocol="TCP" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain="api.smartthings.com" http_status="0" con_id=3729897984 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094" http_status="204" con_id=407760320 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="http://connectivitycheck.gstatic.com/generate_204" src_ip="192.168.2.123" dst_ip="89.160.20.156" protocol="TCP" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain="connectivitycheck.gstatic.com" http_user_agent="Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000" http_status="204" con_id=3019156928 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:40 sophos device_name="SFW" timestamp="2021-11-15T18:29:40-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Business Networking" http_category_type="Acceptable" url="https://realtime.www.linkedin.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain="realtime.www.linkedin.com" http_status="0" con_id=172822528 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:42 sophos device_name="SFW" timestamp="2021-11-15T18:29:42-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="8" web_policy_id=4 http_category="Information Technology" http_category_type="Acceptable" url="http://checkip.dyndns.org/" content_type="text/html" src_ip="192.168.3.36" dst_ip="89.160.20.156" protocol="TCP" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain="checkip.dyndns.org" http_user_agent="ddclient/3.9.1" http_status="200" con_id=154693632 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="BRA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain="hls14.asiancdn.net" http_status="0" con_id=407384704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:43 sophos device_name="SFW" timestamp="2021-11-15T18:29:43-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Shopping" http_category_type="Unproductive" url="https://device-metrics-us-2.amazon.com" src_ip="192.168.2.106" dst_ip="89.160.20.156" protocol="TCP" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain="device-metrics-us-2.amazon.com" http_status="0" con_id=3019356672 app_name="Amazon Shopping" app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" app_risk=2 app_category="General Internet" +Nov 16 00:29:44 sophos device_name="SFW" timestamp="2021-11-15T18:29:44-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.32" dst_ip="89.160.20.156" protocol="TCP" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=3159007232 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://clientservices.googleapis.com" src_ip="192.168.2.156" dst_ip="89.160.20.156" protocol="TCP" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain="clientservices.googleapis.com" http_status="0" con_id=2432150656 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:29:47 sophos device_name="SFW" timestamp="2021-11-15T18:29:47-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" web_policy_id=4 http_category="IPAddress" http_category_type="Acceptable" url="https://192.168.2.90" src_ip="192.168.3.36" dst_ip="192.168.2.90" protocol="TCP" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain="192.168.2.90" http_status="0" con_id=2721559808 app_is_cloud="FALSE" used_quota="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" src_country="R1" dst_country="R1" +Nov 16 00:29:56 sophos device_name="SFW" timestamp="2021-11-15T18:29:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Entertainment" http_category_type="Unproductive" url="https://api.thetake.com" src_ip="192.168.2.143" dst_ip="89.160.20.156" protocol="TCP" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain="api.thetake.com" http_status="0" con_id=2685144512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:29:57 sophos device_name="SFW" timestamp="2021-11-15T18:29:57-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://tools.google.com" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain="tools.google.com" http_status="0" con_id=151870592 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:00 sophos device_name="SFW" timestamp="2021-11-15T18:30:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain="hls14.asiancdn.net" http_status="0" con_id=3019355392 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:01 sophos device_name="SFW" timestamp="2021-11-15T18:30:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://edge.microsoft.com" src_ip="192.168.2.107" dst_ip="89.160.20.156" protocol="TCP" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain="edge.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2689611008 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:02 sophos device_name="SFW" timestamp="2021-11-15T18:30:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.139" dst_ip="89.160.20.156" protocol="TCP" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain="clients4.google.com" http_status="0" con_id=2432148096 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:03 sophos device_name="SFW" timestamp="2021-11-15T18:30:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://settings-win.data.microsoft.com" src_ip="192.168.2.107" dst_ip="89.160.20.156" protocol="TCP" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain="settings-win.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=173138560 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:06 sophos device_name="SFW" timestamp="2021-11-15T18:30:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=2841967104 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:11 sophos device_name="SFW" timestamp="2021-11-15T18:30:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Games" http_category_type="Unproductive" url="https://catalog.gamepass.com" src_ip="192.168.2.110" dst_ip="89.160.20.156" protocol="TCP" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain="catalog.gamepass.com" http_status="0" con_id=2685088704 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:16 sophos device_name="SFW" timestamp="2021-11-15T18:30:16-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Search Engines" http_category_type="Acceptable" url="https://clients4.google.com" src_ip="192.168.2.105" dst_ip="89.160.20.156" protocol="TCP" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain="clients4.google.com" http_status="0" con_id=3017219520 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://www.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain="www.googleapis.com" http_status="0" con_id=154695872 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://play.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain="play.googleapis.com" http_status="0" con_id=2169324160 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:25 sophos device_name="SFW" timestamp="2021-11-15T18:30:25-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain="android.googleapis.com" http_status="0" con_id=173141120 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:27 sophos device_name="SFW" timestamp="2021-11-15T18:30:27-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Online Chat" http_category_type="Unproductive" url="https://discord.com" src_ip="192.168.2.156" dst_ip="89.160.20.156" protocol="TCP" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain="discord.com" http_status="0" con_id=3732575808 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="IPAddress" http_category_type="Acceptable" url="http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet&bodyId=tsn%3A846001190AE52F2" content_type="application/json" src_ip="192.168.2.131" dst_ip="89.160.20.156" protocol="TCP" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain="89.160.20.156" http_user_agent="TvHttpClient" http_status="200" con_id=999028608 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:28 sophos device_name="SFW" timestamp="2021-11-15T18:30:28-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="General Business" http_category_type="Acceptable" url="https://backend-ssp.adstudio.cloud" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain="backend-ssp.adstudio.cloud" http_status="0" con_id=175214016 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://android.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain="android.googleapis.com" http_status="0" con_id=3732577728 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:30 sophos device_name="SFW" timestamp="2021-11-15T18:30:30-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Content Delivery" http_category_type="Acceptable" url="https://hls14.asiancdn.net" src_ip="192.168.2.111" dst_ip="89.160.20.156" protocol="TCP" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain="hls14.asiancdn.net" http_status="0" con_id=173138880 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:33 sophos device_name="SFW" timestamp="2021-11-15T18:30:33-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://vortex.data.microsoft.com" src_ip="192.168.2.119" dst_ip="89.160.20.156" protocol="TCP" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain="vortex.data.microsoft.com" exceptions="av,https,validation,policy,zero-day protection" http_status="0" con_id=2564229952 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="General Business" http_category_type="Acceptable" url="http://info.cspserver.net/api/v1/connect-test" content_type="application/octet-stream" src_ip="192.168.2.112" dst_ip="89.160.20.156" protocol="TCP" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain="info.cspserver.net" http_status="200" con_id=3159008512 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="JPN" +Nov 16 00:30:36 sophos device_name="SFW" timestamp="2021-11-15T18:30:36-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" web_policy_id=1 http_category="Advertisements" http_category_type="Unproductive" url="https://us-trc-events.taboola.com" src_ip="192.168.2.41" dst_ip="89.160.20.156" protocol="TCP" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain="us-trc-events.taboola.com" http_status="0" con_id=999027328 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" +Nov 16 00:30:38 sophos device_name="SFW" timestamp="2021-11-15T18:30:38-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" web_policy_id=12 http_category="Information Technology" http_category_type="Acceptable" url="https://deviceintegritytokens-pa.googleapis.com" src_ip="192.168.2.126" dst_ip="89.160.20.156" protocol="TCP" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain="deviceintegritytokens-pa.googleapis.com" http_status="0" con_id=408293376 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json new file mode 100644 index 00000000000..21cb12e5a51 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-cfilter-new.log-expected.json @@ -0,0 +1,6848 @@ +{ + "expected": [ + { + "@timestamp": "2021-11-16T00:28:48.000Z", + "client": { + "ip": "192.168.2.32", + "port": 44740 + }, + "destination": { + "ip": "192.168.1.15", + "port": 22083 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "malware", + "network" + ], + "code": "054402617051", + "kind": "alert", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:48-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"UDP\" src_port=44740 dst_port=22083 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15" + ] + }, + "server": { + "ip": "192.168.1.15", + "port": 22083 + }, + "sophos": { + "xg": { + "app_category": "P2P", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Torrent Clients P2P", + "app_resolved_by": "Signature", + "app_risk": "5", + "app_technology": "P2P", + "device_model": "SFVH", + "device_name": "SFW", + "fw_rule_id": "12", + "log_component": "Application", + "log_subtype": "Denied", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "17051", + "qualifier": "New" + } + }, + "source": { + "ip": "192.168.2.32", + "port": 44740 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:28:51.000Z", + "client": { + "bytes": 19591, + "ip": "192.168.2.111", + "port": 50931 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2856085, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:51-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50931 dst_port=443 bytes_sent=19591 bytes_received=2856085 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173026752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2856085, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "173026752", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 19591, + "ip": "192.168.2.111", + "port": 50931 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:28:57.000Z", + "client": { + "bytes": 12138, + "ip": "192.168.2.111", + "port": 50932 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1708430, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:28:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50932 dst_port=443 bytes_sent=12138 bytes_received=1708430 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2694936768 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1708430, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2694936768", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 12138, + "ip": "192.168.2.111", + "port": 50932 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:03.000Z", + "client": { + "bytes": 15419, + "ip": "192.168.2.111", + "port": 50933 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2608205, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50933 dst_port=443 bytes_sent=15419 bytes_received=2608205 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564230592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2608205, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2564230592", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 15419, + "ip": "192.168.2.111", + "port": 50933 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:06.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 54640 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=54640 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2617088192 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2617088192", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 54640 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:07.000Z", + "client": { + "bytes": 2128, + "ip": "192.168.2.110", + "port": 53392 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 3511, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://array611.prod.do.dsp.mp.microsoft.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53392 dst_port=443 bytes_sent=2128 bytes_received=3511 domain=\"array611.prod.do.dsp.mp.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2916030976 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"IRL\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 3511, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2916030976", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "exceptions": "av,https,validation,policy,zero-day protection", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 2128, + "ip": "192.168.2.110", + "port": 53392 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "array611.prod.do.dsp.mp.microsoft.com", + "full": "https://array611.prod.do.dsp.mp.microsoft.com", + "original": "https://array611.prod.do.dsp.mp.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:11.000Z", + "client": { + "bytes": 16674, + "ip": "192.168.2.111", + "port": 50934 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2569044, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50934 dst_port=443 bytes_sent=16674 bytes_received=2569044 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2564227072 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2569044, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2564227072", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 16674, + "ip": "192.168.2.111", + "port": 50934 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:16.000Z", + "client": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40230 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40230 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=3159010752 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159010752", + "content_type": "application/json", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40230 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "full": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "original": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "path": "/mind/mind42", + "port": 8089, + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:20.000Z", + "client": { + "bytes": 13804, + "ip": "192.168.2.162", + "port": 53421 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 33728, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:20-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://mtalk.google.com\" src_ip=\"192.168.2.162\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53421 dst_port=443 bytes_sent=13804 bytes_received=33728 domain=\"mtalk.google.com\" http_status=\"0\" con_id=172826048 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.162", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 33728, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "172826048", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Online Chat", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 13804, + "ip": "192.168.2.162", + "port": 53421 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "mtalk.google.com", + "full": "https://mtalk.google.com", + "original": "https://mtalk.google.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:21.000Z", + "client": { + "bytes": 240, + "ip": "192.168.2.131", + "port": 33541 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 136, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:21-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mercury.cgi\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=33541 dst_port=80 bytes_sent=240 bytes_received=136 domain=\"89.160.20.156\" http_status=\"200\" con_id=175812032 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 136, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "175812032", + "content_type": "text/plain", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 240, + "ip": "192.168.2.131", + "port": 33541 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "extension": "cgi", + "full": "http://89.160.20.156/tivo-service/mercury.cgi", + "original": "http://89.160.20.156/tivo-service/mercury.cgi", + "path": "/tivo-service/mercury.cgi", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:22.000Z", + "client": { + "bytes": 253, + "ip": "192.168.2.131", + "port": 46564 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 123, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156/tivo-service/mlog.cgi?gzip\" content_type=\"text/plain\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=46564 dst_port=80 bytes_sent=253 bytes_received=123 domain=\"89.160.20.156\" http_status=\"200\" con_id=175808832 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 123, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "175808832", + "content_type": "text/plain", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 253, + "ip": "192.168.2.131", + "port": 46564 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "extension": "cgi", + "full": "http://89.160.20.156/tivo-service/mlog.cgi?gzip", + "original": "http://89.160.20.156/tivo-service/mlog.cgi?gzip", + "path": "/tivo-service/mlog.cgi", + "query": "gzip", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:22.000Z", + "client": { + "bytes": 10131, + "ip": "192.168.2.111", + "port": 50935 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1834077, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:22-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50935 dst_port=443 bytes_sent=10131 bytes_received=1834077 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=2719000448 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1834077, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2719000448", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 10131, + "ip": "192.168.2.111", + "port": 50935 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:23.000Z", + "client": { + "bytes": 18152, + "ip": "192.168.2.41", + "port": 20492 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 11890, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://alive.github.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=20492 dst_port=443 bytes_sent=18152 bytes_received=11890 domain=\"alive.github.com\" http_status=\"0\" con_id=2721561088 app_name=\"GitHub\" app_is_cloud=\"TRUE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=1 app_category=\"Storage and Backup\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 11890, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_category": "Storage and Backup", + "app_is_cloud": "TRUE", + "app_name": "GitHub", + "app_risk": "1", + "con_id": "2721561088", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "11", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 18152, + "ip": "192.168.2.41", + "port": 20492 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "alive.github.com", + "full": "https://alive.github.com", + "original": "https://alive.github.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:26.000Z", + "client": { + "bytes": 1361, + "ip": "192.168.3.36", + "port": 37906 + }, + "destination": { + "bytes": 3059, + "ip": "192.168.2.90", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:26-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37906 dst_port=8089 bytes_sent=1361 bytes_received=3059 domain=\"192.168.2.90\" http_status=\"0\" con_id=175809792 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "LAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "DMZ" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "server": { + "bytes": 3059, + "ip": "192.168.2.90", + "port": 8089 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "175809792", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "LAN", + "fw_rule_id": "16", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "DMZ", + "used_quota": "0", + "web_policy_id": "4" + } + }, + "source": { + "bytes": 1361, + "ip": "192.168.3.36", + "port": 37906 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "192.168.2.90", + "full": "https://192.168.2.90", + "original": "https://192.168.2.90", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:28.000Z", + "client": { + "bytes": 1752, + "ip": "192.168.2.41", + "port": 22569 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1556, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tpcf.feedify.net\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22569 dst_port=443 bytes_sent=1752 bytes_received=1556 domain=\"tpcf.feedify.net\" http_status=\"0\" con_id=2685143552 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1556, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685143552", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "11", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 1752, + "ip": "192.168.2.41", + "port": 22569 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "tpcf.feedify.net", + "full": "https://tpcf.feedify.net", + "original": "https://tpcf.feedify.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:28.000Z", + "client": { + "bytes": 12938, + "ip": "192.168.2.111", + "port": 50936 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2516804, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50936 dst_port=443 bytes_sent=12938 bytes_received=2516804 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173140160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2516804, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "173140160", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 12938, + "ip": "192.168.2.111", + "port": 50936 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:32.000Z", + "client": { + "bytes": 8057, + "ip": "192.168.2.109", + "port": 49505 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1259, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:32-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://logsink.devices.nest.com\" src_ip=\"192.168.2.109\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49505 dst_port=443 bytes_sent=8057 bytes_received=1259 domain=\"logsink.devices.nest.com\" http_status=\"0\" con_id=3159009472 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.109", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1259, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159009472", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 8057, + "ip": "192.168.2.109", + "port": 49505 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "logsink.devices.nest.com", + "full": "https://logsink.devices.nest.com", + "original": "https://logsink.devices.nest.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:33.000Z", + "client": { + "ip": "192.168.2.32", + "port": 44740 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 4000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "malware", + "network" + ], + "code": "054402617051", + "kind": "alert", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" app_filter_policy_id=6 app_name=\"Torrent Clients P2P\" app_risk=5 app_technology=\"P2P\" app_category=\"P2P\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=44740 dst_port=4000 app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\"", + "outcome": "success", + "severity": 6, + "type": [ + "info", + "denied", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 4000 + }, + "sophos": { + "xg": { + "app_category": "P2P", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Torrent Clients P2P", + "app_resolved_by": "Signature", + "app_risk": "5", + "app_technology": "P2P", + "device_model": "SFVH", + "device_name": "SFW", + "fw_rule_id": "12", + "log_component": "Application", + "log_subtype": "Denied", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "17051", + "qualifier": "New" + } + }, + "source": { + "ip": "192.168.2.32", + "port": 44740 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:29:36.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39118 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39118 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3729897664 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3729897664", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39118 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:39.000Z", + "client": { + "bytes": 1157, + "ip": "192.168.2.102", + "port": 49030 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4092, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:39-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://api.smartthings.com\" src_ip=\"192.168.2.102\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49030 dst_port=443 bytes_sent=1157 bytes_received=4092 domain=\"api.smartthings.com\" http_status=\"0\" con_id=3729897984 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.102", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4092, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3729897984", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1157, + "ip": "192.168.2.102", + "port": 49030 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "api.smartthings.com", + "full": "https://api.smartthings.com", + "original": "https://api.smartthings.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:40.000Z", + "client": { + "bytes": 474, + "ip": "192.168.2.105", + "port": 52457 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52457 dst_port=80 bytes_sent=474 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.81 Safari/537.36 CrKey/1.42.172094\" http_status=\"204\" con_id=407760320 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 204 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "407760320", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 474, + "ip": "192.168.2.105", + "port": 52457 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "path": "/generate_204", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:40.000Z", + "client": { + "bytes": 310, + "ip": "192.168.2.123", + "port": 35596 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"http://connectivitycheck.gstatic.com/generate_204\" src_ip=\"192.168.2.123\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35596 dst_port=80 bytes_sent=310 bytes_received=83 domain=\"connectivitycheck.gstatic.com\" http_user_agent=\"Mozilla/5.0 (Linux; Android 10.0; Build/QTS1.210311.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.225 Safari/537.36 CrKey/1.56.500000\" http_status=\"204\" con_id=3019156928 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 204 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.123", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 83, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3019156928", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 310, + "ip": "192.168.2.123", + "port": 35596 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "connectivitycheck.gstatic.com", + "full": "http://connectivitycheck.gstatic.com/generate_204", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "path": "/generate_204", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:40.000Z", + "client": { + "bytes": 2182, + "ip": "192.168.2.41", + "port": 22465 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6231, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:40-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Business Networking\" http_category_type=\"Acceptable\" url=\"https://realtime.www.linkedin.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22465 dst_port=443 bytes_sent=2182 bytes_received=6231 domain=\"realtime.www.linkedin.com\" http_status=\"0\" con_id=172822528 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6231, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "172822528", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "11", + "http_category": "Business Networking", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 2182, + "ip": "192.168.2.41", + "port": 22465 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "realtime.www.linkedin.com", + "full": "https://realtime.www.linkedin.com", + "original": "https://realtime.www.linkedin.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:42.000Z", + "client": { + "bytes": 91, + "ip": "192.168.3.36", + "port": 56126 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 270, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:42-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"8\" web_policy_id=4 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"http://checkip.dyndns.org/\" content_type=\"text/html\" src_ip=\"192.168.3.36\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=56126 dst_port=80 bytes_sent=91 bytes_received=270 domain=\"checkip.dyndns.org\" http_user_agent=\"ddclient/3.9.1\" http_status=\"200\" con_id=154693632 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"BRA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "DMZ" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 270, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "154693632", + "content_type": "text/html", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "8", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "DMZ", + "used_quota": "0", + "web_policy_id": "4" + } + }, + "source": { + "bytes": 91, + "ip": "192.168.3.36", + "port": 56126 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "checkip.dyndns.org", + "full": "http://checkip.dyndns.org/", + "original": "http://checkip.dyndns.org/", + "path": "/", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:29:43.000Z", + "client": { + "bytes": 17223, + "ip": "192.168.2.111", + "port": 50937 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2569893, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50937 dst_port=443 bytes_sent=17223 bytes_received=2569893 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=407384704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2569893, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "407384704", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 17223, + "ip": "192.168.2.111", + "port": 50937 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:43.000Z", + "client": { + "bytes": 3319, + "ip": "192.168.2.106", + "port": 63937 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5643, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:43-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Shopping\" http_category_type=\"Unproductive\" url=\"https://device-metrics-us-2.amazon.com\" src_ip=\"192.168.2.106\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=63937 dst_port=443 bytes_sent=3319 bytes_received=5643 domain=\"device-metrics-us-2.amazon.com\" http_status=\"0\" con_id=3019356672 app_name=\"Amazon Shopping\" app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\" app_risk=2 app_category=\"General Internet\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.106", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5643, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_category": "General Internet", + "app_is_cloud": "FALSE", + "app_name": "Amazon Shopping", + "app_risk": "2", + "con_id": "3019356672", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Online Shopping", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 3319, + "ip": "192.168.2.106", + "port": 63937 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "device-metrics-us-2.amazon.com", + "full": "https://device-metrics-us-2.amazon.com", + "original": "https://device-metrics-us-2.amazon.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:44.000Z", + "client": { + "bytes": 2144, + "ip": "192.168.2.32", + "port": 59357 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4386, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:44-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.32\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59357 dst_port=443 bytes_sent=2144 bytes_received=4386 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=3159007232 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4386, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159007232", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "exceptions": "av,https,validation,policy,zero-day protection", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 2144, + "ip": "192.168.2.32", + "port": 59357 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com", + "original": "https://settings-win.data.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:47.000Z", + "client": { + "bytes": 1839, + "ip": "192.168.2.156", + "port": 62996 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2046, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://clientservices.googleapis.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62996 dst_port=443 bytes_sent=1839 bytes_received=2046 domain=\"clientservices.googleapis.com\" http_status=\"0\" con_id=2432150656 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.156", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2046, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2432150656", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1839, + "ip": "192.168.2.156", + "port": 62996 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clientservices.googleapis.com", + "full": "https://clientservices.googleapis.com", + "original": "https://clientservices.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:47.000Z", + "client": { + "bytes": 542, + "ip": "192.168.3.36", + "port": 37912 + }, + "destination": { + "bytes": 2376, + "ip": "192.168.2.90", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:47-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" web_policy_id=4 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"https://192.168.2.90\" src_ip=\"192.168.3.36\" dst_ip=\"192.168.2.90\" protocol=\"TCP\" src_port=37912 dst_port=8089 bytes_sent=542 bytes_received=2376 domain=\"192.168.2.90\" http_status=\"0\" con_id=2721559808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" src_country=\"R1\" dst_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "LAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "DMZ" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "server": { + "bytes": 2376, + "ip": "192.168.2.90", + "port": 8089 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2721559808", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "LAN", + "fw_rule_id": "16", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "DMZ", + "used_quota": "0", + "web_policy_id": "4" + } + }, + "source": { + "bytes": 542, + "ip": "192.168.3.36", + "port": 37912 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "192.168.2.90", + "full": "https://192.168.2.90", + "original": "https://192.168.2.90", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:56.000Z", + "client": { + "bytes": 2680, + "ip": "192.168.2.143", + "port": 49274 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6023, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Entertainment\" http_category_type=\"Unproductive\" url=\"https://api.thetake.com\" src_ip=\"192.168.2.143\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49274 dst_port=443 bytes_sent=2680 bytes_received=6023 domain=\"api.thetake.com\" http_status=\"0\" con_id=2685144512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.143", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6023, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685144512", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Entertainment", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 2680, + "ip": "192.168.2.143", + "port": 49274 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "api.thetake.com", + "full": "https://api.thetake.com", + "original": "https://api.thetake.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:29:57.000Z", + "client": { + "bytes": 1719, + "ip": "192.168.2.105", + "port": 35672 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 8533, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:29:57-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://tools.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=35672 dst_port=443 bytes_sent=1719 bytes_received=8533 domain=\"tools.google.com\" http_status=\"0\" con_id=151870592 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 8533, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "151870592", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1719, + "ip": "192.168.2.105", + "port": 35672 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "tools.google.com", + "full": "https://tools.google.com", + "original": "https://tools.google.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:00.000Z", + "client": { + "bytes": 25597, + "ip": "192.168.2.111", + "port": 50938 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4923601, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50938 dst_port=443 bytes_sent=25597 bytes_received=4923601 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=3019355392 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4923601, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3019355392", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 25597, + "ip": "192.168.2.111", + "port": 50938 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:01.000Z", + "client": { + "bytes": 10198, + "ip": "192.168.2.107", + "port": 53571 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 7256, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://edge.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53571 dst_port=443 bytes_sent=10198 bytes_received=7256 domain=\"edge.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2689611008 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.107", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 7256, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2689611008", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "exceptions": "av,https,validation,policy,zero-day protection", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 10198, + "ip": "192.168.2.107", + "port": 53571 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "edge.microsoft.com", + "full": "https://edge.microsoft.com", + "original": "https://edge.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:02.000Z", + "client": { + "bytes": 4395, + "ip": "192.168.2.139", + "port": 49726 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2128, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.139\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=49726 dst_port=443 bytes_sent=4395 bytes_received=2128 domain=\"clients4.google.com\" http_status=\"0\" con_id=2432148096 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.139", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2128, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2432148096", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Search Engines", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 4395, + "ip": "192.168.2.139", + "port": 49726 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clients4.google.com", + "full": "https://clients4.google.com", + "original": "https://clients4.google.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:03.000Z", + "client": { + "bytes": 1697, + "ip": "192.168.2.107", + "port": 53600 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4408, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://settings-win.data.microsoft.com\" src_ip=\"192.168.2.107\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53600 dst_port=443 bytes_sent=1697 bytes_received=4408 domain=\"settings-win.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=173138560 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.107", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4408, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "173138560", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "exceptions": "av,https,validation,policy,zero-day protection", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1697, + "ip": "192.168.2.107", + "port": 53600 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "settings-win.data.microsoft.com", + "full": "https://settings-win.data.microsoft.com", + "original": "https://settings-win.data.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:06.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39119 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=39119 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=2841967104 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2841967104", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 39119 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:11.000Z", + "client": { + "bytes": 1030, + "ip": "192.168.2.110", + "port": 53588 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Games\" http_category_type=\"Unproductive\" url=\"https://catalog.gamepass.com\" src_ip=\"192.168.2.110\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53588 dst_port=443 bytes_sent=1030 bytes_received=6770 domain=\"catalog.gamepass.com\" http_status=\"0\" con_id=2685088704 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2685088704", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Games", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1030, + "ip": "192.168.2.110", + "port": 53588 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "catalog.gamepass.com", + "full": "https://catalog.gamepass.com", + "original": "https://catalog.gamepass.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:16.000Z", + "client": { + "bytes": 7011, + "ip": "192.168.2.105", + "port": 52580 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2848, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:16-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Search Engines\" http_category_type=\"Acceptable\" url=\"https://clients4.google.com\" src_ip=\"192.168.2.105\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=52580 dst_port=443 bytes_sent=7011 bytes_received=2848 domain=\"clients4.google.com\" http_status=\"0\" con_id=3017219520 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2848, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3017219520", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Search Engines", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 7011, + "ip": "192.168.2.105", + "port": 52580 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "clients4.google.com", + "full": "https://clients4.google.com", + "original": "https://clients4.google.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 3093, + "ip": "192.168.2.126", + "port": 53942 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 63488, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://www.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53942 dst_port=443 bytes_sent=3093 bytes_received=63488 domain=\"www.googleapis.com\" http_status=\"0\" con_id=154695872 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 63488, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "154695872", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 3093, + "ip": "192.168.2.126", + "port": 53942 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.googleapis.com", + "full": "https://www.googleapis.com", + "original": "https://www.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 22415, + "ip": "192.168.2.126", + "port": 48938 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 7520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://play.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=48938 dst_port=443 bytes_sent=22415 bytes_received=7520 domain=\"play.googleapis.com\" http_status=\"0\" con_id=2169324160 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 7520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2169324160", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 22415, + "ip": "192.168.2.126", + "port": 48938 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "play.googleapis.com", + "full": "https://play.googleapis.com", + "original": "https://play.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:25.000Z", + "client": { + "bytes": 9159, + "ip": "192.168.2.126", + "port": 53450 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 9567, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:25-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53450 dst_port=443 bytes_sent=9159 bytes_received=9567 domain=\"android.googleapis.com\" http_status=\"0\" con_id=173141120 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 9567, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "173141120", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 9159, + "ip": "192.168.2.126", + "port": 53450 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com", + "original": "https://android.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:27.000Z", + "client": { + "bytes": 925, + "ip": "192.168.2.156", + "port": 62998 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6253, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:27-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Online Chat\" http_category_type=\"Unproductive\" url=\"https://discord.com\" src_ip=\"192.168.2.156\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=62998 dst_port=443 bytes_sent=925 bytes_received=6253 domain=\"discord.com\" http_status=\"0\" con_id=3732575808 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.156", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6253, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3732575808", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Online Chat", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 925, + "ip": "192.168.2.156", + "port": 62998 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "discord.com", + "full": "https://discord.com", + "original": "https://discord.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:28.000Z", + "client": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40233 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"IPAddress\" http_category_type=\"Acceptable\" url=\"http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2\" content_type=\"application/json\" src_ip=\"192.168.2.131\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=40233 dst_port=8089 bytes_sent=260 bytes_received=307 domain=\"89.160.20.156\" http_user_agent=\"TvHttpClient\" http_status=\"200\" con_id=999028608 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.131", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 307, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 8089 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "999028608", + "content_type": "application/json", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "IPAddress", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 260, + "ip": "192.168.2.131", + "port": 40233 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "89.160.20.156", + "full": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "original": "http://89.160.20.156:8089/mind/mind42?type=myWanIpAddressGet\u0026bodyId=tsn%3A846001190AE52F2", + "path": "/mind/mind42", + "port": 8089, + "query": "type=myWanIpAddressGet\u0026bodyId=tsn:846001190AE52F2", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:28.000Z", + "client": { + "bytes": 1004, + "ip": "192.168.2.41", + "port": 22567 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 584, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:28-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"https://backend-ssp.adstudio.cloud\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22567 dst_port=443 bytes_sent=1004 bytes_received=584 domain=\"backend-ssp.adstudio.cloud\" http_status=\"0\" con_id=175214016 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 584, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "175214016", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "11", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 1004, + "ip": "192.168.2.41", + "port": 22567 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "backend-ssp.adstudio.cloud", + "full": "https://backend-ssp.adstudio.cloud", + "original": "https://backend-ssp.adstudio.cloud", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:30.000Z", + "client": { + "bytes": 2417, + "ip": "192.168.2.126", + "port": 53458 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2607, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://android.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=53458 dst_port=443 bytes_sent=2417 bytes_received=2607 domain=\"android.googleapis.com\" http_status=\"0\" con_id=3732577728 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2607, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3732577728", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 2417, + "ip": "192.168.2.126", + "port": 53458 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "android.googleapis.com", + "full": "https://android.googleapis.com", + "original": "https://android.googleapis.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:30.000Z", + "client": { + "bytes": 36759, + "ip": "192.168.2.111", + "port": 50939 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5080099, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:30-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Content Delivery\" http_category_type=\"Acceptable\" url=\"https://hls14.asiancdn.net\" src_ip=\"192.168.2.111\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50939 dst_port=443 bytes_sent=36759 bytes_received=5080099 domain=\"hls14.asiancdn.net\" http_status=\"0\" con_id=173138880 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5080099, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "173138880", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Content Delivery", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 36759, + "ip": "192.168.2.111", + "port": 50939 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "hls14.asiancdn.net", + "full": "https://hls14.asiancdn.net", + "original": "https://hls14.asiancdn.net", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:33.000Z", + "client": { + "bytes": 37822, + "ip": "192.168.2.119", + "port": 59478 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 10552, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:33-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://vortex.data.microsoft.com\" src_ip=\"192.168.2.119\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=59478 dst_port=443 bytes_sent=37822 bytes_received=10552 domain=\"vortex.data.microsoft.com\" exceptions=\"av,https,validation,policy,zero-day protection\" http_status=\"0\" con_id=2564229952 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.119", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 10552, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "2564229952", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "exceptions": "av,https,validation,policy,zero-day protection", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 37822, + "ip": "192.168.2.119", + "port": 59478 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "vortex.data.microsoft.com", + "full": "https://vortex.data.microsoft.com", + "original": "https://vortex.data.microsoft.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:36.000Z", + "client": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 55510 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"General Business\" http_category_type=\"Acceptable\" url=\"http://info.cspserver.net/api/v1/connect-test\" content_type=\"application/octet-stream\" src_ip=\"192.168.2.112\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=55510 dst_port=80 bytes_sent=77 bytes_received=249 domain=\"info.cspserver.net\" http_status=\"200\" con_id=3159008512 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"JPN\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 249, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 80 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "3159008512", + "content_type": "application/octet-stream", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "General Business", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 77, + "ip": "192.168.2.112", + "port": 55510 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "info.cspserver.net", + "full": "http://info.cspserver.net/api/v1/connect-test", + "original": "http://info.cspserver.net/api/v1/connect-test", + "path": "/api/v1/connect-test", + "scheme": "http" + } + }, + { + "@timestamp": "2021-11-16T00:30:36.000Z", + "client": { + "bytes": 7587, + "ip": "192.168.2.41", + "port": 22570 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1633, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:36-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" web_policy_id=1 http_category=\"Advertisements\" http_category_type=\"Unproductive\" url=\"https://us-trc-events.taboola.com\" src_ip=\"192.168.2.41\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=22570 dst_port=443 bytes_sent=7587 bytes_received=1633 domain=\"us-trc-events.taboola.com\" http_status=\"0\" con_id=999027328 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 1633, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "999027328", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "11", + "http_category": "Advertisements", + "http_category_type": "Unproductive", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 7587, + "ip": "192.168.2.41", + "port": 22570 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "us-trc-events.taboola.com", + "full": "https://us-trc-events.taboola.com", + "original": "https://us-trc-events.taboola.com", + "path": "", + "scheme": "https" + } + }, + { + "@timestamp": "2021-11-16T00:30:38.000Z", + "client": { + "bytes": 45093, + "ip": "192.168.2.126", + "port": 50210 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2901, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "050901616001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:30:38-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" web_policy_id=12 http_category=\"Information Technology\" http_category_type=\"Acceptable\" url=\"https://deviceintegritytokens-pa.googleapis.com\" src_ip=\"192.168.2.126\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=50210 dst_port=443 bytes_sent=45093 bytes_received=2901 domain=\"deviceintegritytokens-pa.googleapis.com\" http_status=\"0\" con_id=408293376 app_is_cloud=\"FALSE\" used_quota=\"0\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" src_country=\"R1\" dst_country=\"USA\"", + "outcome": "success", + "severity": 6, + "type": [ + "allowed", + "connection" + ] + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.126", + "89.160.20.156" + ] + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2901, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_is_cloud": "FALSE", + "con_id": "408293376", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "fw_rule_id": "12", + "http_category": "Information Technology", + "http_category_type": "Acceptable", + "log_component": "HTTP", + "log_subtype": "Allowed", + "log_type": "Content Filtering", + "log_version": "1", + "message_id": "16001", + "src_zone_type": "LAN", + "used_quota": "0", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 45093, + "ip": "192.168.2.126", + "port": 50210 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "deviceintegritytokens-pa.googleapis.com", + "full": "https://deviceintegritytokens-pa.googleapis.com", + "original": "https://deviceintegritytokens-pa.googleapis.com", + "path": "", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log new file mode 100644 index 00000000000..62250fae0e9 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log @@ -0,0 +1,3 @@ +Nov 16 02:52:23 sophos device_name="SFW" timestamp="2021-11-15T20:52:23-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.131" src_mac="00:11:d9:a0:19:11" reported_host="TIVO-846001190AE52F2" message="Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11" lease_time="345600" +Nov 16 02:57:56 sophos device_name="SFW" timestamp="2021-11-15T20:57:56-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.112" src_mac="88:57:1d:2d:FF:db" reported_host="TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK" message="Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db" lease_time="345600" +Nov 16 03:04:08 sophos device_name="SFW" timestamp="2021-11-15T21:04:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" log_version=1 status="Renew" severity="Information" reported_ip="192.168.2.112" src_mac="88:57:1d:2d:FF:db" reported_host="TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK" message="Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db" lease_time="345600" \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json new file mode 100644 index 00000000000..544918ba4c8 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-event-new.log-expected.json @@ -0,0 +1,169 @@ +{ + "expected": [ + { + "@timestamp": "2021-11-16T02:52:23.000Z", + "client": { + "mac": "00:11:d9:a0:19:11" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "063411660020", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:52:23-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.131\" src_mac=\"00:11:d9:a0:19:11\" reported_host=\"TIVO-846001190AE52F2\" message=\"Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 00:11:d9:a0:19:11", + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_model": "SFVH", + "device_name": "SFW", + "lease_time": "345600", + "log_component": "DHCP Server", + "log_subtype": "System", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", + "reported_host": "TIVO-846001190AE52F2", + "reported_ip": "192.168.2.131", + "status": "Renew" + } + }, + "source": { + "mac": "00:11:d9:a0:19:11" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T02:57:56.000Z", + "client": { + "mac": "88:57:1d:2d:FF:db" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "063411660020", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T20:57:56-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_model": "SFVH", + "device_name": "SFW", + "lease_time": "345600", + "log_component": "DHCP Server", + "log_subtype": "System", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", + "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", + "reported_ip": "192.168.2.112", + "status": "Renew" + } + }, + "source": { + "mac": "88:57:1d:2d:FF:db" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T03:04:08.000Z", + "client": { + "mac": "88:57:1d:2d:FF:db" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "063411660020", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T21:04:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=063411660020 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" log_version=1 status=\"Renew\" severity=\"Information\" reported_ip=\"192.168.2.112\" src_mac=\"88:57:1d:2d:FF:db\" reported_host=\"TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK\" message=\"Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db\" lease_time=\"345600\"", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "message": "Lease IP 192.168.2.250 renewed for MAC 88:57:1d:2d:19:db", + "observer": { + "hostname": "sophos", + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ] + }, + "sophos": { + "xg": { + "device_model": "SFVH", + "device_name": "SFW", + "lease_time": "345600", + "log_component": "DHCP Server", + "log_subtype": "System", + "log_type": "Event", + "log_version": "1", + "message_id": "60020", + "reported_host": "TIZEN-ODg6NTc6MUQ6MkQ6MTk6REIKK", + "reported_ip": "192.168.2.112", + "status": "Renew" + } + }, + "source": { + "mac": "88:57:1d:2d:FF:db" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log new file mode 100644 index 00000000000..e702a85406b --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log @@ -0,0 +1,50 @@ +Nov 16 00:25:00 sophos device_name="SFW" timestamp="2021-11-15T18:25:00-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50875 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="3153941760" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="A4:FC:77:2E:BD:6F" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.162" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=56257 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151869632" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50876 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719000128" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=31 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2718999808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:01 sophos device_name="SFW" timestamp="2021-11-15T18:25:01-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=39 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="3153944000" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:02 sophos device_name="SFW" timestamp="2021-11-15T18:25:02-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916028416" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59346 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916031936" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:CD:68" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.32" src_country="R1" dst_ip="192.168.1.15" dst_country="R1" protocol="TCP" src_port=59347 dst_port=22083 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172022272" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=36 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="408294336" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:03 sophos device_name="SFW" timestamp="2021-11-15T18:25:03-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916030976" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000195968" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:04 sophos device_name="SFW" timestamp="2021-11-15T18:25:04-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2916029696" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=18 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:2A:5C:23" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.122" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154390528" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="0" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="00:26:37:ee:47:20" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=61709 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="999027328" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="192.168.10.1" dst_country="R1" protocol="UDP" src_port=47944 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:05 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="88:57:1D:2D:19:DB" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.112" src_country="R1" dst_ip="89.160.20.156" dst_country="JPN" protocol="TCP" src_port=55499 dst_port=80 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151867392" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:05-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151870592" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=16 fw_rule_id="19" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="2C:AA:8E:1D:B6:D9" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.118" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172108928" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:06 sophos device_name="SFW" timestamp="2021-11-15T18:25:06-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" nat_rule_id="0" fw_rule_type="USER" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type="Unknown (0x0000)" in_interface="Port3" out_interface="Port1" src_mac="00:50:56:9F:49:13" dst_mac="00:50:56:9F:EF:8A" src_ip="192.168.3.36" src_country="R1" dst_ip="192.168.2.90" dst_country="R1" protocol="TCP" src_port=48524 dst_port=9988 src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="LAN" dst_zone="LAN" con_event="Start" con_id="2685088384" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port3" out_display_interface="Port1" +Nov 16 00:25:07 sophos device_name="SFW" timestamp="2021-11-15T18:25:07-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="172105728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386944" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=33 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407384064" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=19 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Youtube Website" app_risk=3 app_technology="Browser Based" app_category="Streaming Media" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:26:37:EE:47:20" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.111" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:08 sophos device_name="SFW" timestamp="2021-11-15T18:25:08-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=35 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001728" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000196608" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="00:50:56:9F:B1:FE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.16" src_country="R1" dst_ip="192.168.1.167" dst_country="R1" protocol="TCP" src_port=63043 dst_port=8089 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685089984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:09 sophos device_name="SFW" timestamp="2021-11-15T18:25:09-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=411 fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" protocol="TCP" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407759360" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000197248" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:10 sophos device_name="SFW" timestamp="2021-11-15T18:25:10-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=30 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="154696512" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="154391168" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=32 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385984" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:11 sophos device_name="SFW" timestamp="2021-11-15T18:25:11-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=59335 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2685088704" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=38 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2694935808" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="1000194368" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=62171 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="151868992" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=17 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="Secure Socket Layer Protocol" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="34:C9:3D:23:51:C2" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.110" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="TCP" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="172106048" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:12 sophos device_name="SFW" timestamp="2021-11-15T18:25:12-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=52915 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385024" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407386624" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=37 fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="10:BF:48:7D:ED:22" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.121" src_country="R1" dst_ip="89.160.20.156" dst_country="AUS" protocol="ICMP" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Stop" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="12" nat_rule_id="12" fw_rule_type="USER" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name="DNS" app_risk=1 app_technology="Network Protocol" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="54:60:09:FD:33:EC" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.105" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=34141 dst_port=53 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="407385344" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" +Nov 16 00:25:13 sophos device_name="SFW" timestamp="2021-11-15T18:25:13-0600" device_model="SFVH" device_serial_id="C01001BQC8TFFFF" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="11" nat_rule_id="9" fw_rule_type="USER" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="Port2" src_mac="24:4B:FE:DD:C6:CE" dst_mac="00:50:56:9F:39:33" src_ip="192.168.2.41" src_country="R1" dst_ip="89.160.20.156" dst_country="USA" protocol="UDP" src_port=51751 dst_port=443 src_trans_ip="192.168.1.2" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="2719001088" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="Port2" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json new file mode 100644 index 00000000000..f07f12ec861 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-xg-firewall-new.log-expected.json @@ -0,0 +1,7288 @@ +{ + "expected": [ + { + "@timestamp": "2021-11-16T00:25:00.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "port": 50875 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:00-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50875 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"3153941760\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "3153941760", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "port": 50875 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.162", + "mac": "A4:FC:77:2E:BD:6F", + "nat": { + "ip": "192.168.1.2" + }, + "port": 56257 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"A4:FC:77:2E:BD:6F\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.162\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=56257 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151869632\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.162", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "151869632", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.162", + "mac": "A4:FC:77:2E:BD:6F", + "nat": { + "ip": "192.168.1.2" + }, + "port": 56257 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "port": 50876 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50876 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719000128\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2719000128", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "port": 50876 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 31000000000, + "end": "2021-11-16T00:25:32.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=31 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2718999808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:01.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "2718999808", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Denied", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Denied", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:01.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:01-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2916030336", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 39000000000, + "end": "2021-11-16T00:25:41.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=39 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"3153944000\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:02.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "3153944000", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Denied", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:02.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:02-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916028416\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2916028416", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59346 + }, + "destination": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59346 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916031936\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2916031936", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59346 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59347 + }, + "destination": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:CD:68\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.32\" src_country=\"R1\" dst_ip=\"192.168.1.15\" dst_country=\"R1\" protocol=\"TCP\" src_port=59347 dst_port=22083 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172022272\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.32", + "192.168.1.15", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.15", + "mac": "00:50:56:9F:39:33", + "port": 22083 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "172022272", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.32", + "mac": "00:50:56:9F:CD:68", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59347 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Denied", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 36000000000, + "end": "2021-11-16T00:25:39.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=36 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"408294336\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:03.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "408294336", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:03.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:03-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916030976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2916030976", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:04.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 35000000000, + "end": "2021-11-16T00:25:39.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000195968\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:04.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "1000195968", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:04.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:04-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2916029696\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2916029696", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "bytes": 216, + "ip": "192.168.2.122", + "mac": "2C:AA:8E:2A:5C:23", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 4, + "port": 41242 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 18000000000, + "end": "2021-11-16T00:25:23.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=18 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:2A:5C:23\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.122\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=41242 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154390528\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:05.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 328, + "direction": "outbound", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.122", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "19" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "8", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "154390528", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "5", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 216, + "ip": "192.168.2.122", + "mac": "2C:AA:8E:2A:5C:23", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 4, + "port": 41242 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "denied", + "category": [ + "network" + ], + "code": "010102600002", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010102600002\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"IPv4 (0x0800)\" in_interface=\"Port1\" src_mac=\"00:26:37:ee:47:20\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=61709 dst_port=443 hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "transport": "udp" + }, + "observer": { + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + } + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "device_model": "SFVH", + "device_name": "SFW", + "ether_type": "IPv4 (0x0800)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Denied", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00002", + "qualifier": "New", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.111", + "mac": "00:26:37:ee:47:20", + "port": 61709 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 37000000000, + "end": "2021-11-16T00:25:42.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"999027328\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:05.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "999027328", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, + "port": 47944 + }, + "destination": { + "ip": "192.168.10.1", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"192.168.10.1\" dst_country=\"R1\" protocol=\"UDP\" src_port=47944 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "192.168.10.1", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.10.1", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, + "sophos": { + "xg": { + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "DNS", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Start", + "con_id": "2685088064", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, + "port": 47944 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, + "port": 55499 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"88:57:1D:2D:19:DB\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.112\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"JPN\" protocol=\"TCP\" src_port=55499 dst_port=80 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151867392\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.112", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 80 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "151867392", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.112", + "mac": "88:57:1D:2D:19:DB", + "nat": { + "ip": "192.168.1.2" + }, + "port": 55499 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:05.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:05-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151870592\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "151870592", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:06.000Z", + "client": { + "bytes": 216, + "ip": "192.168.2.118", + "mac": "2C:AA:8E:1D:B6:D9", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 4, + "port": 44720 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 16000000000, + "end": "2021-11-16T00:25:22.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=16 fw_rule_id=\"19\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=5 app_filter_policy_id=8 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"2C:AA:8E:1D:B6:D9\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.118\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=44720 dst_port=80 packets_sent=4 packets_received=2 bytes_sent=216 bytes_received=112 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172108928\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:06.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 328, + "direction": "outbound", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.118", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "19" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 112, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2, + "port": 80 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "8", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "172108928", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "5", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 216, + "ip": "192.168.2.118", + "mac": "2C:AA:8E:1D:B6:D9", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 4, + "port": 44720 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:06.000Z", + "client": { + "ip": "192.168.3.36", + "mac": "00:50:56:9F:49:13", + "port": 48524 + }, + "destination": { + "ip": "192.168.2.90", + "mac": "00:50:56:9F:EF:8A", + "port": 9988 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:06-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"16\" nat_rule_id=\"0\" fw_rule_type=\"USER\" web_policy_id=4 ips_policy_id=6 app_filter_policy_id=7 ether_type=\"Unknown (0x0000)\" in_interface=\"Port3\" out_interface=\"Port1\" src_mac=\"00:50:56:9F:49:13\" dst_mac=\"00:50:56:9F:EF:8A\" src_ip=\"192.168.3.36\" src_country=\"R1\" dst_ip=\"192.168.2.90\" dst_country=\"R1\" protocol=\"TCP\" src_port=48524 dst_port=9988 src_zone_type=\"DMZ\" src_zone=\"DMZ\" dst_zone_type=\"LAN\" dst_zone=\"LAN\" con_event=\"Start\" con_id=\"2685088384\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port3\" out_display_interface=\"Port1\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "internal", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port3" + }, + "zone": "DMZ" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.3.36", + "192.168.2.90" + ] + }, + "rule": { + "id": "16" + }, + "server": { + "ip": "192.168.2.90", + "mac": "00:50:56:9F:EF:8A", + "port": 9988 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "7", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2685088384", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "LAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "6", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "DMZ", + "web_policy_id": "4" + } + }, + "source": { + "ip": "192.168.3.36", + "mac": "00:50:56:9F:49:13", + "port": 48524 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:07.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:07-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"172105728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "172105728", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386944\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "407386944", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 33000000000, + "end": "2021-11-16T00:25:41.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=33 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407384064\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "407384064", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "bytes": 9718, + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 31, + "port": 50872 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4992, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 31, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 19000000000, + "end": "2021-11-16T00:25:27.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=19 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Youtube Website\" app_risk=3 app_technology=\"Browser Based\" app_category=\"Streaming Media\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:26:37:EE:47:20\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.111\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=50872 dst_port=443 packets_sent=31 packets_received=31 bytes_sent=9718 bytes_received=4992 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 14710, + "direction": "outbound", + "packets": 62, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.111", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 4992, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 31, + "port": 443 + }, + "sophos": { + "xg": { + "app_category": "Streaming Media", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Youtube Website", + "app_resolved_by": "Signature", + "app_risk": "3", + "app_technology": "Browser Based", + "con_event": "Stop", + "con_id": "154391168", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 9718, + "ip": "192.168.2.111", + "mac": "00:26:37:EE:47:20", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 31, + "port": 50872 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:08.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 35000000000, + "end": "2021-11-16T00:25:43.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:08-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=35 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001728\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:08.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "2719001728", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000196608\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "1000196608", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 38000000000, + "end": "2021-11-16T00:25:47.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:09.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "2719001088", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "ip": "192.168.2.16", + "mac": "00:50:56:9F:B1:FE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 63043 + }, + "destination": { + "ip": "192.168.1.167", + "mac": "00:50:56:9F:39:33", + "port": 8089 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"00:50:56:9F:B1:FE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.16\" src_country=\"R1\" dst_ip=\"192.168.1.167\" dst_country=\"R1\" protocol=\"TCP\" src_port=63043 dst_port=8089 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685089984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.16", + "192.168.1.167", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "ip": "192.168.1.167", + "mac": "00:50:56:9F:39:33", + "port": 8089 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2685089984", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.16", + "mac": "00:50:56:9F:B1:FE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 63043 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:09.000Z", + "client": { + "bytes": 2297, + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 20, + "port": 21957 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2229, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 22, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 411000000000, + "end": "2021-11-16T00:32:00.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:09-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=411 fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" protocol=\"TCP\" src_port=21957 dst_port=443 packets_sent=20 packets_received=22 bytes_sent=2297 bytes_received=2229 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407759360\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:09.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 4526, + "direction": "outbound", + "packets": 42, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "11" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2229, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 22, + "port": 443 + }, + "sophos": { + "xg": { + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Stop", + "con_id": "407759360", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "1" + } + }, + "source": { + "bytes": 2297, + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 20, + "port": 21957 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000197248\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "1000197248", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 32000000000, + "end": "2021-11-16T00:25:42.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:10.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "407385024", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:10.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 30000000000, + "end": "2021-11-16T00:25:40.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:10-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=30 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"154696512\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:10.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "154696512", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"154391168\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "154391168", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 32000000000, + "end": "2021-11-16T00:25:43.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=32 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385984\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:11.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "407385984", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:11.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59335 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:11-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=59335 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2685088704\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "11" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2685088704", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "1" + } + }, + "source": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 59335 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 38000000000, + "end": "2021-11-16T00:25:50.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=38 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:12.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "1000194368", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2694935808\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2694935808", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"1000194368\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "1000194368", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 62171 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=62171 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"151868992\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "11" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "151868992", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "1" + } + }, + "source": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 62171 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "bytes": 1030, + "ip": "192.168.2.110", + "mac": "34:C9:3D:23:51:C2", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 11, + "port": 53271 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 13, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 17000000000, + "end": "2021-11-16T00:25:29.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=17 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"Secure Socket Layer Protocol\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"34:C9:3D:23:51:C2\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.110\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"TCP\" src_port=53271 dst_port=443 packets_sent=11 packets_received=13 bytes_sent=1030 bytes_received=6770 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"172106048\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:12.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 7800, + "direction": "outbound", + "packets": 24, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.110", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 6770, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 13, + "port": 443 + }, + "sophos": { + "xg": { + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "Secure Socket Layer Protocol", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Stop", + "con_id": "172106048", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 1030, + "ip": "192.168.2.110", + "mac": "34:C9:3D:23:51:C2", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 11, + "port": 53271 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:12.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 52915 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:12-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=52915 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385024\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "11" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "407385024", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "1" + } + }, + "source": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 52915 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407386624\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33" + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "407386624", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "duration": 37000000000, + "end": "2021-11-16T00:25:50.000Z", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=37 fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"10:BF:48:7D:ED:22\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.121\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"AUS\" protocol=\"ICMP\" icmp_type=8 packets_sent=2 packets_received=2 bytes_sent=168 bytes_received=168 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Stop\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6, + "start": "2021-11-16T00:25:13.000Z" + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "bytes": 336, + "direction": "outbound", + "packets": 4, + "transport": "icmp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.121", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 168, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "packets": 2 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Stop", + "con_id": "407385344", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "icmp_type": "8", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "bytes": 168, + "ip": "192.168.2.121", + "mac": "10:BF:48:7D:ED:22", + "nat": { + "ip": "192.168.1.2" + }, + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + }, + "port": 34141 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"12\" nat_rule_id=\"12\" fw_rule_type=\"USER\" web_policy_id=12 ips_policy_id=8 app_filter_policy_id=6 app_name=\"DNS\" app_risk=1 app_technology=\"Network Protocol\" app_category=\"Infrastructure\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"54:60:09:FD:33:EC\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.105\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=34141 dst_port=53 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"407385344\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.105", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "12" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 53 + }, + "sophos": { + "xg": { + "app_category": "Infrastructure", + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_name": "DNS", + "app_resolved_by": "Signature", + "app_risk": "1", + "app_technology": "Network Protocol", + "con_event": "Start", + "con_id": "407385344", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "12" + } + }, + "source": { + "ip": "192.168.2.105", + "mac": "54:60:09:FD:33:EC", + "nat": { + "ip": "192.168.1.2" + }, + "port": 34141 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-11-16T00:25:13.000Z", + "client": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 51751 + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "allowed", + "category": [ + "network" + ], + "code": "010101600001", + "kind": "event", + "original": "device_name=\"SFW\" timestamp=\"2021-11-15T18:25:13-0600\" device_model=\"SFVH\" device_serial_id=\"C01001BQC8TFFFF\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" fw_rule_id=\"11\" nat_rule_id=\"9\" fw_rule_type=\"USER\" web_policy_id=1 ips_policy_id=8 app_filter_policy_id=6 ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=\"24:4B:FE:DD:C6:CE\" dst_mac=\"00:50:56:9F:39:33\" src_ip=\"192.168.2.41\" src_country=\"R1\" dst_ip=\"89.160.20.156\" dst_country=\"USA\" protocol=\"UDP\" src_port=51751 dst_port=443 src_trans_ip=\"192.168.1.2\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" con_event=\"Start\" con_id=\"2719001088\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"Port2\"", + "outcome": "success", + "severity": 6 + }, + "host": { + "name": "defaulttest.local" + }, + "log": { + "level": "Information" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "Port2" + }, + "zone": "WAN" + }, + "hostname": "sophos", + "ingress": { + "interface": { + "name": "Port1" + }, + "zone": "LAN" + }, + "product": "XG", + "serial_number": "C01001BQC8TFFFF", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "defaulttest.local" + ], + "ip": [ + "192.168.2.41", + "89.160.20.156", + "192.168.1.2" + ] + }, + "rule": { + "id": "11" + }, + "server": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "mac": "00:50:56:9F:39:33", + "port": 443 + }, + "sophos": { + "xg": { + "app_filter_policy_id": "6", + "app_is_cloud": "FALSE", + "app_resolved_by": "Signature", + "con_event": "Start", + "con_id": "2719001088", + "device_model": "SFVH", + "device_name": "SFW", + "dst_zone_type": "WAN", + "ether_type": "Unknown (0x0000)", + "fw_rule_type": "USER", + "hb_status": "No Heartbeat", + "ips_policy_id": "8", + "log_component": "Firewall Rule", + "log_subtype": "Allowed", + "log_type": "Firewall", + "log_version": "1", + "message_id": "00001", + "qualifier": "New", + "src_zone_type": "LAN", + "web_policy_id": "1" + } + }, + "source": { + "ip": "192.168.2.41", + "mac": "24:4B:FE:DD:C6:CE", + "nat": { + "ip": "192.168.1.2" + }, + "port": 51751 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml index 5160ce60eec..3d10bd560a3 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -52,10 +52,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - ignore_empty_value: true - convert: field: sophos.xg.dst_port target_field: destination.port @@ -63,32 +59,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - ignore_empty_value: true -- convert: - field: server.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - ignore_empty_value: true -- convert: - field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -101,10 +71,6 @@ processors: field: sophos.xg.src_ip target_field: source.ip ignore_missing: true -- set: - field: client.ip - value: '{{source.ip}}' - ignore_empty_value: true - convert: field: sophos.xg.src_port target_field: source.port @@ -112,32 +78,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - ignore_empty_value: true -- convert: - field: client.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - ignore_empty_value: true -- convert: - field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.from_email_address target_field: source.user.email @@ -231,9 +171,7 @@ processors: - remove: field: - sophos.xg.dst_port - - sophos.xg.recv_bytes - sophos.xg.src_port - - sophos.xg.sent_bytes ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml index dae14727da5..1169b490940 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -67,35 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" - rename: field: sophos.xg.to_email_address target_field: destination.user.email @@ -110,10 +77,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -121,35 +84,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -338,8 +272,6 @@ processors: field: - sophos.xg.dst_port - sophos.xg.src_port - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - sophos.xg.status_code - sophos.xg.file_size ignore_missing: true diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml index 23871cbe5a7..23eb4f07460 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml @@ -46,10 +46,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.destinationip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -57,17 +53,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -77,19 +62,11 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.sourceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.src_ip target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -97,17 +74,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml index 25bfe199e2a..06dd579e10f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -67,17 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -87,10 +72,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -98,17 +79,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -125,14 +95,21 @@ processors: ##################### - rename: field: sophos.xg.url - target_field: url.full + target_field: url.original ignore_missing: true - if: "ctx.sophos?.xg?.url != null" +- uri_parts: + field: url.original + target_field: url + if: "ctx.url?.original != null" +- set: + field: url.full + copy_from: url.original + ignore_empty_value: true - rename: field: sophos.xg.domain target_field: url.domain ignore_missing: true - if: "ctx.sophos?.xg?.domain != null" + if: ctx.url?.domain == null ############################ ## ECS User Agent Mapping ## @@ -148,11 +125,20 @@ processors: type: long ignore_missing: true if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" +- convert: + field: sophos.xg.http_status + target_field: http.response.status_code + type: long + ignore_missing: true + if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" - rename: field: sophos.xg.user_agent target_field: user_agent.original ignore_missing: true - if: "ctx.sophos?.xg?.user_agent != null" +- user_agent: + field: user_agent.original + target_field: user_agent + ignore_missing: true ############################# ## ECS Network/Geo Mapping ## @@ -268,8 +254,9 @@ processors: field: - sophos.xg.dst_port - sophos.xg.src_port - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes + - sophos.xg.domain + - sophos.xg.http_status + - sophos.xg.http_user_agent ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index 03636f04962..484ec067050 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing sophosxg firewall logs processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '8.0.0' @@ -11,6 +8,8 @@ processors: field: message patterns: - '%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:event.original}$' + - '%{SYSLOG5424PRI}%{GREEDYDATA:event.original}$' + - '%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:event.original}$' # optimize fields / strings in event.original for KV processor - gsub: @@ -37,6 +36,11 @@ processors: field: _temp_.time value: "{{sophos.xg.date}} {{sophos.xg.time}}" if: ctx?.sophos?.xg?.date != null && ctx?.sophos?.xg?.time != null +- set: + field: _temp_.time + copy_from: sophos.xg.timestamp + ignore_empty_value: true + if: ctx._temp_?.time == null - date: if: "ctx.event.timezone == null" field: _temp_.time @@ -134,6 +138,10 @@ processors: field: event.severity type: long ignore_missing: true +- set: + field: log.level + copy_from: sophos.xg.severity + ignore_empty_value: true ########################## ## ECS Observer Mapping ## @@ -151,6 +159,10 @@ processors: field: sophos.xg.device_id target_field: observer.serial_number ignore_missing: true +- rename: + field: sophos.xg.device_serial_id + target_field: observer.serial_number + ignore_missing: true - rename: field: sophos.xg.out_interface target_field: observer.egress.interface.name @@ -160,13 +172,29 @@ processors: target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: sophos.xg.srczonetype + field: sophos.xg.srczone target_field: observer.ingress.zone ignore_missing: true - rename: - field: sophos.xg.dstzonetype + field: sophos.xg.src_zone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.dstzone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: sophos.xg.dst_zone target_field: observer.egress.zone ignore_missing: true +- rename: + field: sophos.xg.srczonetype + target_field: sophos.xg.src_zone_type + ignore_missing: true +- rename: + field: sophos.xg.dstzonetype + target_field: sophos.xg.dst_zone_type + ignore_missing: true # extract from log_id the new field "sophos.xg.message_id" - set: @@ -223,11 +251,10 @@ processors: - _conf - sophos.xg.date - sophos.xg.time + - sophos.xg.timestamp - sophos.xg.duration - sophos.xg.timezone - sophos.xg.dir_disp - - sophos.xg.srczone - - sophos.xg.dstzone - sophos.xg.log_occurrence - sophos.xg.nat_rule_id - sophos.xg.in_display_interface @@ -240,6 +267,35 @@ processors: type: long ignore_missing: true ignore_failure: true + +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- convert: + field: sophos.xg.bytes_sent + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_sent != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- convert: + field: sophos.xg.bytes_received + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_received != null" ############################### ## Product Specific Pipelines ## @@ -277,6 +333,30 @@ processors: - pipeline: name: '{{ IngestPipeline "wifi" }}' if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" + +- set: + field: server + copy_from: destination + ignore_empty_value: true +- set: + field: client + copy_from: source + ignore_empty_value: true +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.bytes_sent + - sophos.xg.bytes_received + - sophos.xg.severity + - sophos.xg.dst_country + - sophos.xg.src_country + - sophos.xg.out_display_interface + - sophos.xg.in_display_interface + ignore_missing: true - remove: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml index 11c9ca0df50..8f479f84a00 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -76,28 +76,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.localinterfaceip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" ############################### ## ECS Client/Source Mapping ## @@ -112,37 +90,11 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.src_mac target_field: source.mac ignore_missing: true if: "ctx.sophos?.xg?.src_mac != null" -- set: - field: client.mac - value: '{{source.mac}}' - if: "ctx.source?.mac != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name @@ -267,9 +219,7 @@ processors: - remove: field: - sophos.xg.dst_port - - sophos.xg.recv_bytes - sophos.xg.src_port - - sophos.xg.sent_bytes - sophos.xg.name ignore_missing: true on_failure: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml index c4edb9f0960..6f5a6d0b7cd 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -60,10 +60,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - rename: field: sophos.xg.tran_dst_ip target_field: destination.nat.ip @@ -81,17 +77,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" - convert: field: sophos.xg.tran_dst_port target_field: destination.nat.port @@ -99,44 +84,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.tran_dst_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" - rename: field: sophos.xg.dst_mac target_field: destination.mac ignore_missing: true if: "ctx.sophos?.xg?.dst_mac != null" -- set: - field: server.mac - value: '{{destination.mac}}' - if: "ctx.destination?.mac != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" - convert: field: sophos.xg.recv_pkts target_field: destination.packets @@ -144,17 +96,13 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.recv_pkts !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" - convert: - field: server.packets - target_field: server.packets + field: sophos.xg.packets_received + target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.server?.packets != null" + if: "ctx.sophos?.xg?.packets_received !=null" ############################### ## ECS Client/Source Mapping ## @@ -164,15 +112,16 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.tran_src_ip target_field: source.nat.ip ignore_missing: true if: "ctx.sophos?.xg?.tran_src_ip != null" +- rename: + field: sophos.xg.src_trans_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_trans_ip != null" - rename: field: sophos.xg.sourceip target_field: source.ip @@ -185,17 +134,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - convert: field: sophos.xg.tran_src_port target_field: source.nat.port @@ -203,46 +141,17 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.tran_src_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" - rename: field: sophos.xg.src_mac target_field: source.mac ignore_missing: true if: "ctx.sophos?.xg?.src_mac != null" -- set: - field: client.mac - value: '{{source.mac}}' - if: "ctx.source?.mac != null" -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - trim: field: sophos.xg.sent_pkts + ignore_missing: true +- trim: + field: sophos.xg.packets_sent + ignore_missing: true - convert: field: sophos.xg.sent_pkts target_field: source.packets @@ -250,17 +159,17 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.sent_pkts != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" - convert: - field: client.packets - target_field: client.packets + field: sophos.xg.packets_sent + target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.packets != null" + if: "ctx.sophos?.xg?.packets_sent != null" +- set: + field: client.packets + copy_from: source.packets + ignore_empty_value: true - rename: field: sophos.xg.user_name target_field: source.user.name @@ -441,12 +350,12 @@ processors: field: - sophos.xg.dst_port - sophos.xg.tran_dst_port - - sophos.xg.recv_bytes - sophos.xg.recv_pkts - sophos.xg.src_port - sophos.xg.tran_src_port - - sophos.xg.sent_bytes - sophos.xg.sent_pkts + - sophos.xg.packets_received + - sophos.xg.packets_sent ignore_missing: true on_failure: - set: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml index ca034201de5..dcdc0be4fa9 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml @@ -41,10 +41,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.dst_ip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.dst_port target_field: destination.port @@ -52,17 +48,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.dst_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" ############################### ## ECS Client/Source Mapping ## @@ -72,10 +57,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.src_port target_field: source.port @@ -83,17 +64,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.src_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml index 07040415e9c..392b4c768d9 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml @@ -65,10 +65,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.src_ip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml index 10f3b4c79f2..c1a904f35ce 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml @@ -56,10 +56,6 @@ processors: target_field: destination.ip ignore_missing: true if: "ctx.sophos?.xg?.localip != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" - convert: field: sophos.xg.bytessent target_field: destination.bytes @@ -67,13 +63,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytessent != null" -- convert: - field: sophos.xg.bytessent - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytessent != null" ############################### ## ECS Client/Source Mapping ## @@ -83,10 +72,6 @@ processors: target_field: source.ip ignore_missing: true if: "ctx.sophos?.xg?.sourceip != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" - convert: field: sophos.xg.bytesrcv target_field: source.bytes @@ -94,17 +79,6 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.sophos?.xg?.bytesrcv != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" - rename: field: sophos.xg.user_name target_field: source.user.name diff --git a/packages/sophos/data_stream/xg/fields/ecs.yml b/packages/sophos/data_stream/xg/fields/ecs.yml index 6447dfc1353..f950a9f86bd 100644 --- a/packages/sophos/data_stream/xg/fields/ecs.yml +++ b/packages/sophos/data_stream/xg/fields/ecs.yml @@ -1,15 +1,46 @@ +- external: ecs + name: client.as.number +- external: ecs + name: client.as.organization.name - external: ecs name: client.bytes +- external: ecs + name: client.domain +- external: ecs + name: client.geo.city_name +- external: ecs + name: client.geo.continent_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.country_name +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- external: ecs + name: client.geo.name +- external: ecs + name: client.geo.region_iso_code +- external: ecs + name: client.geo.region_name - external: ecs name: client.ip - external: ecs name: client.mac +- external: ecs + name: client.nat.ip - external: ecs name: client.nat.port - external: ecs name: client.packets - external: ecs name: client.port +- external: ecs + name: client.user.email +- external: ecs + name: client.user.group.name +- external: ecs + name: client.user.name - external: ecs name: destination.as.number - external: ecs @@ -145,6 +176,8 @@ name: observer.type - external: ecs name: observer.vendor +- external: ecs + name: observer.hostname - external: ecs name: related.hash - external: ecs @@ -161,18 +194,43 @@ name: rule.name - external: ecs name: rule.ruleset +- external: ecs + name: server.as.number +- external: ecs + name: server.as.organization.name - external: ecs name: server.bytes +- external: ecs + name: server.geo.city_name +- external: ecs + name: server.geo.continent_name +- external: ecs + name: server.geo.country_iso_code +- external: ecs + name: server.geo.country_name +- description: Longitude and latitude. + name: server.geo.location + type: geo_point +- external: ecs + name: server.geo.name +- external: ecs + name: server.geo.region_iso_code +- external: ecs + name: server.geo.region_name - external: ecs name: server.ip - external: ecs name: server.mac +- external: ecs + name: server.nat.ip - external: ecs name: server.nat.port - external: ecs name: server.packets - external: ecs name: server.port +- external: ecs + name: server.user.email - external: ecs name: source.as.number - external: ecs diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 6b4aa574230..72f84fd9dbb 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -20,6 +20,10 @@ type: keyword description: | Model number of the device + - name: device_model + type: keyword + description: | + Model number of the device - name: device_id type: keyword description: | @@ -200,22 +204,6 @@ type: integer description: | Translated destination port for outgoing traffic - - name: srczonetype - type: keyword - description: | - Type of source zone, e.g., LAN - - name: srczone - type: keyword - description: | - Name of source zone - - name: dstzonetype - type: keyword - description: | - Type of destination zone, e.g., WAN - - name: dstzone - type: keyword - description: | - Name of destination zone - name: dir_disp type: keyword description: | @@ -764,6 +752,94 @@ type: keyword description: | ethernet frame type + - name: app_category + type: keyword + description: | + Name of the category under which application falls + - name: app_name + type: keyword + description: | + Application name + - name: app_filter_policy_id + type: keyword + description: | + Application filter policy ID applied on the traffic + - name: app_resolved_by + type: keyword + description: | + Application is resolved by signature or synchronized application + - name: app_risk + type: keyword + description: | + Risk level assigned to the application + - name: app_technology + type: keyword + description: | + Technology of the application + - name: con_event + type: keyword + description: | + Event Start/Stop + - name: fw_rule_type + type: keyword + description: | + Firewall rule type which is applied on the traffic + - name: hb_status + type: keyword + description: | + Heartbeat status + - name: log_version + type: keyword + description: | + Log Version + - name: nat_rule_id + type: keyword + description: | + NAT Rule ID + - name: qualifier + type: keyword + description: | + Qualifier + - name: web_policy_id + type: keyword + description: | + Web policy ID + - name: content_type + type: keyword + description: | + Type of the content + - name: http_category + type: keyword + description: | + HTTP Category + - name: http_category_type + type: keyword + description: | + HTTP Category Type + - name: used_quota + type: keyword + description: | + Used Quota + - name: lease_time + type: keyword + description: | + Lease Time + - name: reported_host + type: keyword + description: | + Reported Host + - name: reported_ip + type: keyword + description: | + Reported IP + - name: dst_zone_type + type: keyword + description: | + Type of destination zone + - name: src_zone_type + type: keyword + description: | + Type of source zone - name: log.source.address type: keyword ignore_above: 1024 diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index cc5dd53d1de..88e9b8e8b44 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -946,12 +946,29 @@ An example event for `xg` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | | client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | | client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | | client.packets | Packets sent from the client to the server. | long | | client.port | Port of the client. | long | +| client.user.email | User email address. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -1052,6 +1069,7 @@ An example event for `xg` looks as following: | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.product | The product name of the observer. | keyword | @@ -1066,12 +1084,25 @@ An example event for `xg` looks as following: | rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | | server.bytes | Bytes sent from the server to the client. | long | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | | server.packets | Packets sent from the server to the client. | long | | server.port | Port of the server. | long | +| server.user.email | User email address. | keyword | | sophos.xg.Configuration | Configuration | float | | sophos.xg.FTP_direction | Direction of FTP transfer: Upload or Download | keyword | | sophos.xg.FTP_url | FTP URL from which virus was downloaded | keyword | @@ -1084,7 +1115,13 @@ An example event for `xg` looks as following: | sophos.xg.action | Event Action | keyword | | sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | | sophos.xg.ap | ap | keyword | +| sophos.xg.app_category | Name of the category under which application falls | keyword | +| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | | sophos.xg.app_is_cloud | Application is Cloud | keyword | +| sophos.xg.app_name | Application name | keyword | +| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | +| sophos.xg.app_risk | Risk level assigned to the application | keyword | +| sophos.xg.app_technology | Technology of the application | keyword | | sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | | sophos.xg.application | Application name | keyword | | sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | @@ -1105,12 +1142,14 @@ An example event for `xg` looks as following: | sophos.xg.client_physical_address | Client physical address | keyword | | sophos.xg.clients_conn_ssid | clients connection ssid | keyword | | sophos.xg.collisions | collisions | long | +| sophos.xg.con_event | Event Start/Stop | keyword | | sophos.xg.con_id | Unique identifier of connection | integer | | sophos.xg.conn_id | Unique identifier of connection | integer | | sophos.xg.connectionname | Connectionname | keyword | | sophos.xg.connectiontype | Connectiontype | keyword | | sophos.xg.connevent | Event on which this log is generated | keyword | | sophos.xg.connid | Connection ID | keyword | +| sophos.xg.content_type | Type of the content | keyword | | sophos.xg.contenttype | Type of the content | keyword | | sophos.xg.context_match | Context Match | keyword | | sophos.xg.context_prefix | Content Prefix | keyword | @@ -1120,6 +1159,7 @@ An example event for `xg` looks as following: | sophos.xg.destinationip | Original destination IP address of traffic | ip | | sophos.xg.device | device | keyword | | sophos.xg.device_id | Serial number of the device | keyword | +| sophos.xg.device_model | Model number of the device | keyword | | sophos.xg.device_name | Model number of the device | keyword | | sophos.xg.dictionary_name | Dictionary Name | keyword | | sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | @@ -1131,9 +1171,8 @@ An example event for `xg` looks as following: | sophos.xg.dst_domainname | Receiver domain name | keyword | | sophos.xg.dst_ip | Original destination IP address of traffic | ip | | sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | +| sophos.xg.dst_zone_type | Type of destination zone | keyword | | sophos.xg.dstdomain | Destination Domain | keyword | -| sophos.xg.dstzone | Name of destination zone | keyword | -| sophos.xg.dstzonetype | Type of destination zone, e.g., WAN | keyword | | sophos.xg.duration | Durability of traffic (seconds) | long | | sophos.xg.email_subject | Email Subject | keyword | | sophos.xg.ep_uuid | Endpoint UUID | keyword | @@ -1154,8 +1193,12 @@ An example event for `xg` looks as following: | sophos.xg.from_email_address | Sender email address | keyword | | sophos.xg.ftpcommand | FTP command used when virus was found | keyword | | sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | +| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | | sophos.xg.hb_health | Heartbeat status | keyword | +| sophos.xg.hb_status | Heartbeat status | keyword | | sophos.xg.host | Host | keyword | +| sophos.xg.http_category | HTTP Category | keyword | +| sophos.xg.http_category_type | HTTP Category Type | keyword | | sophos.xg.httpresponsecode | code of HTTP response | long | | sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | | sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | @@ -1167,17 +1210,20 @@ An example event for `xg` looks as following: | sophos.xg.interface | interface | keyword | | sophos.xg.ipaddress | Ipaddress | keyword | | sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | +| sophos.xg.lease_time | Lease Time | keyword | | sophos.xg.localgateway | Localgateway | keyword | | sophos.xg.localnetwork | Localnetwork | keyword | | sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | | sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | | sophos.xg.log_subtype | Sub type of event | keyword | | sophos.xg.log_type | Type of event e.g. firewall event | keyword | +| sophos.xg.log_version | Log Version | keyword | | sophos.xg.login_user | ATP login user | keyword | | sophos.xg.mailid | mailid | keyword | | sophos.xg.mailsize | mailsize | integer | | sophos.xg.message | Message | keyword | | sophos.xg.message_id | Message ID | keyword | +| sophos.xg.nat_rule_id | NAT Rule ID | keyword | | sophos.xg.newversion | Newversion | keyword | | sophos.xg.oldversion | Oldversion | keyword | | sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | @@ -1188,6 +1234,7 @@ An example event for `xg` looks as following: | sophos.xg.policy_type | Policy type applied to the traffic | keyword | | sophos.xg.priority | Severity level of traffic | keyword | | sophos.xg.protocol | Protocol number of traffic | keyword | +| sophos.xg.qualifier | Qualifier | keyword | | sophos.xg.quarantine | Path and filename of the file quarantined | keyword | | sophos.xg.quarantine_reason | Quarantine reason | keyword | | sophos.xg.querystring | querystring | keyword | @@ -1202,6 +1249,8 @@ An example event for `xg` looks as following: | sophos.xg.referer | Referer | keyword | | sophos.xg.remote_ip | Remote IP | ip | | sophos.xg.remotenetwork | remotenetwork | keyword | +| sophos.xg.reported_host | Reported Host | keyword | +| sophos.xg.reported_ip | Reported IP | keyword | | sophos.xg.responsetime | Responsetime | long | | sophos.xg.rule_priority | Priority of IPS policy | keyword | | sophos.xg.sent_bytes | Total number of bytes sent | long | @@ -1221,8 +1270,7 @@ An example event for `xg` looks as following: | sophos.xg.src_ip | Original source IP address of traffic | ip | | sophos.xg.src_mac | Original source MAC address of traffic | keyword | | sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | -| sophos.xg.srczone | Name of source zone | keyword | -| sophos.xg.srczonetype | Type of source zone, e.g., LAN | keyword | +| sophos.xg.src_zone_type | Type of source zone | keyword | | sophos.xg.ssid | ssid | keyword | | sophos.xg.start_time | Start time | date | | sophos.xg.starttime | Starttime | date | @@ -1252,6 +1300,7 @@ An example event for `xg` looks as following: | sophos.xg.upload_file_type | Upload file type | keyword | | sophos.xg.url | URL from which virus was downloaded | keyword | | sophos.xg.used | used | integer | +| sophos.xg.used_quota | Used Quota | keyword | | sophos.xg.user | User | keyword | | sophos.xg.user_cpu | system | float | | sophos.xg.user_gp | Group name to which the user belongs. | keyword | @@ -1260,6 +1309,7 @@ An example event for `xg` looks as following: | sophos.xg.users | users | keyword | | sophos.xg.vconn_id | Connection ID of the master connection | integer | | sophos.xg.virus | virus name | keyword | +| sophos.xg.web_policy_id | Web policy ID | keyword | | sophos.xg.website | Website | keyword | | sophos.xg.xss | related XSS caught by the WAF | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 3a89e018082..d6c7c8cb12d 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.2.2 +version: 1.2.3 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga